Impact
A vulnerability in the Contest Gallery WordPress plugin allows the unauthorized disclosure of subscriber information. The flaw is categorized as CWE-497, indicating that sensitive data is exposed via an insecure interface. Attackers who can trigger the vulnerable path can obtain personal subscriber details that should be protected, potentially impacting privacy but not granting code execution or system compromise.
Affected Systems
The issue affects the Wasiliy Strecker Contest Gallery plugin for WordPress versions 28.1.7 and earlier. Users running these legacy versions should update to at least 29.0.0, which contains the fix for the exposed subscriber data endpoint.
Risk and Exploitability
The CVSS score of 6.5 reflects a moderate impact with a medium level of accessibility for attackers. The EPSS score of '< 1%' indicates a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the plugin's exposed data retrieval endpoint, which an unauthorized user could access if they discover the URL or through administrative interfaces. No publicly known active exploits are documented, but the low exploitation probability does not eliminate the need for remediation.
OpenCVE Enrichment