Description
The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple form field parameters in all versions up to, and including, 27.0.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with author-level access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-10-04
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin is vulnerable to a stored cross‑site scripting flaw caused by insufficient input sanitization and output escaping in multiple form field parameters. Authenticated attackers with author‑level access or higher can inject arbitrary web scripts into pages that will execute whenever a user visits an injected page. This allows injected code to run in the victim’s browser, potentially exposing session cookies, defacing content, or performing other malicious actions, thereby impacting the confidentiality and integrity of the website’s data and the availability of the service for affected users.

Affected Systems

WordPress installations running the Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin in any version up to and including 27.0.2. The vulnerability is present in all components referenced in the plugin’s admin upload and textarea field files.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be logged in with author‑level or higher privileges; therefore the likely attack vector is a compromised author account or a malicious contributor account. Once the vector is in place, the attacker can embed malicious scripts that persist across sessions and affect all users who view the injected content.

Generated by OpenCVE AI on April 21, 2026 at 02:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Contest Gallery plugin to the latest version (≥ 27.0.3) to eliminate the stored XSS flaw.
  • If an upgrade is not immediately possible, restrict author or contributor capabilities to remove access to the upload and voting functionality, thereby limiting the ability to inject malicious content.
  • Implement a restrictive Content Security Policy that disallows inline scripts and limits script sources to trusted domains, which mitigates the impact of any remaining XSS payloads.

Generated by OpenCVE AI on April 21, 2026 at 02:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32405 The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple form field parameters in all versions up to, and including, 27.0.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with author-level access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 06 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Contest-gallery
Contest-gallery contest Gallery
Wordpress
Wordpress wordpress
Vendors & Products Contest-gallery
Contest-gallery contest Gallery
Wordpress
Wordpress wordpress

Sat, 04 Oct 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple form field parameters in all versions up to, and including, 27.0.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with author-level access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Contest Gallery – Upload, Vote & Sell with PayPal and Stripe <= 27.0.2 - Authenticated (Author+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Contest-gallery Contest Gallery
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:16.443Z

Reserved: 2025-09-12T20:24:46.177Z

Link: CVE-2025-10383

cve-icon Vulnrichment

Updated: 2025-10-06T15:54:49.601Z

cve-icon NVD

Status : Deferred

Published: 2025-10-04T04:16:23.820

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10383

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:30:25Z

Weaknesses