← back
CVE-2025-11254

Contest Gallery – Upload, Vote & Sell with PayPal and Stripe <= 27.0.3 - Unauthenticated CSV Injection

CVSS 4.3 MEDIUMEPSS 0.3%CWE-1236
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 4.3EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
11 Oct 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 27.0.3 via gallery submissions. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Affected products
contest-gallery · Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://plugins.trac.wordpress.org/changeset/3375891/contest-gallery/tags/28.0.0/functions/backend/render/cg-backend-gallery-general.php?old=3372123&old_path=contest-gallery%2Ftags%2F27.0.3%2Ffunctions%2Fbackend%2Frender%2Fcg-backend-gallery-general.phphttps://plugins.trac.wordpress.org/changeset?old_path=/contest-gallery/tags/27.0.3&new_path=/contest-gallery/tags/28.0.0&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/9a0dc62c-786d-40f3-b9c9-bd199a176192?source=cve