The vulnerability in the mdedev Run Contests, Raffles, and Giveaways with ContestsWP plugin allows an actor with access to the WordPress administration area to retrieve sensitive system information that the plugin inadvertently exposes. The failure to restrict the modes or permissions of the embedded data results in a failure to prevent unauthorized disclosure, which can lead to exposure of credentials, configuration details, or other proprietary information that an attacker could later leverage to compromise the host platform or further infiltrate the network. The weakness is classified as CWE-497.

Users of the WordPress plugin "Run Contests, Raffles, and Giveaways with ContestsWP" from the vendor mdedev, versions up to and including 2.0.7, are affected. The plugin was known to be installed in a variety of WordPress sites and provides contest‑management functionality that may store user input and system data.

The CVSS base score is 5.3, indicating a moderate severity. Likely exploitation would involve an attacker who has gained at least basic administrative access to the WordPress site or can trick an admin into revealing the compromised data, as the plugin’s exposed endpoints do not enforce strict authentication. The EPSS score is below 1%, suggesting that exploitation is rare, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalogue. Nonetheless, the sensitive data exposed could be valuable for attackers, especially if it contains credentials or configuration secrets. Because the vulnerability is tied to a specific plugin rather than the core WordPress engine, remote attackers without site access are not directly able to exploit it, but attackers who succeed in phishing or other social‑engineering attacks against site administrators could benefit greatly.