Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mdedev Run Contests, Raffles, and Giveaways with ContestsWP contest-code-checker allows Reflected XSS.This issue affects Run Contests, Raffles, and Giveaways with ContestsWP: from n/a through <= 2.1.1.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw that stems from improper sanitization of user input when the Run Contests, Raffles, and Giveaways with ContestsWP plugin processes request parameters during web page generation. An attacker can inject and execute arbitrary JavaScript in the victim’s browser, potentially leading to theft of session cookies, credential hijacking, defacement or the delivery of further malware. The compromise is confined to the scope of the web application that uses the plugin and can affect anyone who visits the page containing the vulnerable parameter.

Affected Systems

The flaw exists in the WordPress plugin Run Contests, Raffles, and Giveaways with ContestsWP, versions starting from an unspecified initial release and continuing through version 2.1.1. The plugin is provided by the vendor mdedev and is commonly installed on WordPress sites that host contests, raffles or giveaways.

Risk and Exploitability

The reported CVSS score of 7.1 indicates high severity, but the EPSS score of less than 1% suggests that, so far, exploitation is unlikely. The vulnerability is not listed in CISA’s KEV catalog, implying no widely known, actively exploited instances as of the data available. The likely attack vector is the web application layer, where a maliciously crafted URL or input containing crafted JavaScript is reflected back to the user’s browser without proper encoding.

Generated by OpenCVE AI on May 1, 2026 at 09:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Run Contests, Raffles, and Giveaways plugin to version 2.1.2 or later to eliminate the reflected XSS flaw.
  • If upgrading is not possible immediately, restrict or sanitize all plugin input fields and remove any unsanitized echo statements on the front‑end pages of the plugin.
  • Add a WAF rule that blocks standard XSS payloads targeting this plugin’s URLs.
  • Configure a Content Security Policy header that restricts script sources to trusted origins and blocks inline scripts.

Generated by OpenCVE AI on May 1, 2026 at 09:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11713 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mdedev Run Contests, Raffles, and Giveaways with ContestsWP allows Reflected XSS. This issue affects Run Contests, Raffles, and Giveaways with ContestsWP: from n/a through 2.0.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mdedev Run Contests, Raffles, and Giveaways with ContestsWP allows Reflected XSS. This issue affects Run Contests, Raffles, and Giveaways with ContestsWP: from n/a through 2.0.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mdedev Run Contests, Raffles, and Giveaways with ContestsWP contest-code-checker allows Reflected XSS.This issue affects Run Contests, Raffles, and Giveaways with ContestsWP: from n/a through <= 2.1.1.
Title WordPress Run Contests, Raffles, and Giveaways Plugin <= 2.0.6 - Reflected Cross Site Scripting (XSS) vulnerability WordPress Run Contests, Raffles, and Giveaways plugin <= 2.1.1 - Reflected Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mdedev Run Contests, Raffles, and Giveaways with ContestsWP allows Reflected XSS. This issue affects Run Contests, Raffles, and Giveaways with ContestsWP: from n/a through 2.0.6.
Title WordPress Run Contests, Raffles, and Giveaways Plugin <= 2.0.6 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:11:17.422Z

Reserved: 2025-04-09T11:20:51.368Z

Link: CVE-2025-32634

cve-icon Vulnrichment

Updated: 2025-04-17T18:08:07.108Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:47.860

Modified: 2026-04-23T15:29:15.130

Link: CVE-2025-32634

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T10:00:12Z

Weaknesses