{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10383", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-12T20:24:46.177Z", "datePublished": "2025-10-04T03:33:31.544Z", "dateUpdated": "2026-04-08T17:28:16.443Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:16.443Z"}, "affected": [{"vendor": "contest-gallery", "product": "Contest Gallery \u2013 Upload & Vote Photos, Media, Sell with PayPal & Stripe", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "27.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Contest Gallery \u2013 Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple form field parameters in all versions up to, and including, 27.0.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with author-level access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Contest Gallery \u2013 Upload, Vote & Sell with PayPal and Stripe <= 27.0.2 - Authenticated (Author+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/de379f74-660a-4e59-b1c4-4b88dff8a843?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/26.1.1/v10/v10-admin/upload/fields/input.php#L367"}, {"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/26.1.1/v10/v10-admin/upload/fields/input.php#L381"}, {"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/26.1.1/v10/v10-admin/upload/fields/input.php#L389"}, {"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/26.1.1/v10/v10-admin/upload/fields/textarea.php#L330"}, {"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/26.1.1/v10/v10-admin/upload/fields/textarea.php#L338"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3372123%40contest-gallery&new=3372123%40contest-gallery&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Aur\u00e9lien BOURDOIS"}], "timeline": [{"time": "2025-09-12T20:39:55.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-03T14:48:39.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-06T15:54:44.743324Z", "id": "CVE-2025-10383", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-06T15:55:20.550Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10383", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-06T15:54:44.743324Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-06T15:54:49.601Z"}}], "cna": {"title": "Contest Gallery \u2013 Upload, Vote & Sell with PayPal and Stripe <= 27.0.2 - Authenticated (Author+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Aur\u00e9lien BOURDOIS"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "contest-gallery", "product": "Contest Gallery \u2013 Upload & Vote Photos, Media, Sell with PayPal & Stripe", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "27.0.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-12T20:39:55.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-03T14:48:39.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/de379f74-660a-4e59-b1c4-4b88dff8a843?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/26.1.1/v10/v10-admin/upload/fields/input.php#L367"}, {"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/26.1.1/v10/v10-admin/upload/fields/input.php#L381"}, {"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/26.1.1/v10/v10-admin/upload/fields/input.php#L389"}, {"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/26.1.1/v10/v10-admin/upload/fields/textarea.php#L330"}, {"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/26.1.1/v10/v10-admin/upload/fields/textarea.php#L338"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3372123%40contest-gallery&new=3372123%40contest-gallery&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Contest Gallery \u2013 Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple form field parameters in all versions up to, and including, 27.0.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with author-level access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:16.443Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10383", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:28:16.443Z", "dateReserved": "2025-09-12T20:24:46.177Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-04T03:33:31.544Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Contest Gallery \u2013 Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple form field parameters in all versions up to, and including, 27.0.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with author-level access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-10383", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-04T04:16:23.820", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/26.1.1/v10/v10-admin/upload/fields/input.php#L367"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/26.1.1/v10/v10-admin/upload/fields/input.php#L381"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/26.1.1/v10/v10-admin/upload/fields/input.php#L389"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/26.1.1/v10/v10-admin/upload/fields/textarea.php#L330"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/26.1.1/v10/v10-admin/upload/fields/textarea.php#L338"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3372123%40contest-gallery&new=3372123%40contest-gallery&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/de379f74-660a-4e59-b1c4-4b88dff8a843?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:28:56.668133+00:00", "value": {"mitigation_remediation": ["Upgrade the Contest Gallery plugin to the latest version (\u2265\u202f27.0.3) to eliminate the stored XSS flaw.", "If an upgrade is not immediately possible, restrict author or contributor capabilities to remove access to the upload and voting functionality, thereby limiting the ability to inject malicious content.", "Implement a restrictive Content Security Policy that disallows inline scripts and limits script sources to trusted domains, which mitigates the impact of any remaining XSS payloads."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress installations running the Contest Gallery \u2013 Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin in any version up to and including 27.0.2. The vulnerability is present in all components referenced in the plugin\u2019s admin upload and textarea field files.", "description_and_impact": "The Contest Gallery \u2013 Upload, Vote & Sell with PayPal and Stripe plugin is vulnerable to a stored cross\u2011site scripting flaw caused by insufficient input sanitization and output escaping in multiple form field parameters. Authenticated attackers with author\u2011level access or higher can inject arbitrary web scripts into pages that will execute whenever a user visits an injected page. This allows injected code to run in the victim\u2019s browser, potentially exposing session cookies, defacing content, or performing other malicious actions, thereby impacting the confidentiality and integrity of the website\u2019s data and the availability of the service for affected users.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be logged in with author\u2011level or higher privileges; therefore the likely attack vector is a compromised author account or a malicious contributor account. Once the vector is in place, the attacker can embed malicious scripts that persist across sessions and affect all users who view the injected content."}}}}, "created": "2025-10-06T14:42:05.646977+00:00", "updated": "2026-04-21T02:30:25.835792+00:00", "vendors": ["contest-gallery", "contest-gallery$PRODUCT$contest_gallery", "wordpress", "wordpress$PRODUCT$wordpress"]}