Description
The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment feature in all versions up to, and including, 26.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-08-01
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Update
AI Analysis

Impact

The contest‑gallery plugin for WordPress contains a stored cross‑site scripting flaw in its comment feature that is exploitable by unauthenticated users. The weakness arises from insufficient input sanitization and inadequate output escaping, allowing attackers to embed arbitrary JavaScript that runs whenever an affected page is viewed. This can lead to credential theft, defacement, or further exploitation of clients’ browsers, compromising confidentiality and integrity of user sessions.

Affected Systems

WordPress sites using the contest‑gallery plugin, versions up to and including 26.1.0, are vulnerable. All other plugin versions are not listed as affected.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity, but the EPSS score of less than 1% suggests that exploitation is unlikely at this time. This vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is via unauthenticated comment submission, which is inferred from the description, as the comment feature can be accessed without user authentication.

Generated by OpenCVE AI on April 22, 2026 at 14:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade contest‑gallery to a version newer than 26.1.0
  • If an upgrade is not immediately possible, disable or restrict comment posting to authenticated users only
  • Implement web application firewall rules or input validation to block script injection through comment fields

Generated by OpenCVE AI on April 22, 2026 at 14:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23335 The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment feature in all versions up to, and including, 26.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 04 Aug 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Contest-gallery
Contest-gallery contest Gallery
Contest Gallery
Contest Gallery contest Gallery
Wordpress
Wordpress wordpress
Vendors & Products Contest-gallery
Contest-gallery contest Gallery
Contest Gallery
Contest Gallery contest Gallery
Wordpress
Wordpress wordpress

Fri, 01 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 Aug 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment feature in all versions up to, and including, 26.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI <= 26.1.0 - Unauthenticated Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Contest-gallery Contest Gallery
Contest Gallery Contest Gallery
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:33.722Z

Reserved: 2025-07-16T17:57:26.355Z

Link: CVE-2025-7725

cve-icon Vulnrichment

Updated: 2025-08-01T19:13:50.905Z

cve-icon NVD

Status : Deferred

Published: 2025-08-01T05:15:36.907

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7725

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T14:45:19Z

Weaknesses