CVE-2025-11254
Contest Gallery – Upload, Vote & Sell with PayPal and Stripe <= 27.0.3 - Unauthenticated CSV Injection
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 4.3EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
11 oct 2025Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 27.0.3 via gallery submissions. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Productos afectados
contest-gallery · Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://plugins.trac.wordpress.org/changeset/3375891/contest-gallery/tags/28.0.0/functions/backend/render/cg-backend-gallery-general.php?old=3372123&old_path=contest-gallery%2Ftags%2F27.0.3%2Ffunctions%2Fbackend%2Frender%2Fcg-backend-gallery-general.phphttps://plugins.trac.wordpress.org/changeset?old_path=/contest-gallery/tags/27.0.3&new_path=/contest-gallery/tags/28.0.0&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/9a0dc62c-786d-40f3-b9c9-bd199a176192?source=cve