CVE-2025-48291

2025-07-16 [email protected]
WordPress PHP XSS

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 12:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Stored XSS.This issue affects Contest Gallery: from n/a through <= 26.0.6.

AnalysisAI

Stored cross-site scripting (XSS) in Contest Gallery WordPress plugin version 26.0.6 and earlier allows authenticated or unauthenticated attackers to inject malicious scripts that execute in other users' browsers when viewing affected pages. The vulnerability stems from improper input neutralization during web page generation, enabling persistent payload storage in the plugin's database. No public exploit code has been identified, and real-world exploitation risk is considered low based on EPSS scoring (0.04% probability).

Technical ContextAI

Contest Gallery is a WordPress plugin that manages contest submissions and displays gallery content. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating that user-supplied input is not properly sanitized or escaped before being rendered in HTML output. This is a server-side input validation and output encoding failure rather than a client-side DOM manipulation issue. The stored variant means the malicious payload persists in the database and affects all subsequent users who view the compromised content, making it more dangerous than reflected XSS in typical WordPress plugin scenarios.

Affected ProductsAI

Contest Gallery WordPress plugin versions from an unspecified baseline through version 26.0.6 and earlier are vulnerable. The plugin is developed by Wasiliy Strecker and published on the WordPress plugin repository. The affected version range is inclusive of all releases up to and including 26.0.6; the earliest affected version is not explicitly documented in available data.

RemediationAI

Update Contest Gallery to the latest patched version released by the vendor following the disclosure to Patchstack. Users should navigate to WordPress admin dashboard, go to Plugins, locate Contest Gallery, and click 'Update Now' to apply the security fix. Until a patched version is available, website administrators should restrict contest submissions and gallery content editing to trusted users only, verify user account permissions are properly configured, and consider implementing additional WAF (Web Application Firewall) rules to detect and block common XSS payloads. Review Patchstack's vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/contest-gallery/vulnerability/wordpress-contest-gallery-26-0-6-cross-site-scripting-xss-vulnerability for the specific fix version once released.

Share

CVE-2025-48291 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy