{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25023", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:51:55.183Z", "datePublished": "2026-02-03T14:08:40.899Z", "dateUpdated": "2026-04-28T16:14:54.023Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "contest-code-checker", "product": "Run Contests, Raffles, and Giveaways with ContestsWP", "vendor": "mdedev", "versions": [{"changes": [{"at": "2.1.1", "status": "unaffected"}], "lessThanOrEqual": "2.0.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:00.028Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in mdedev Run Contests, Raffles, and Giveaways with ContestsWP contest-code-checker allows Retrieve Embedded Sensitive Data.<p>This issue affects Run Contests, Raffles, and Giveaways with ContestsWP: from n/a through <= 2.0.7.</p>"}], "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in mdedev Run Contests, Raffles, and Giveaways with ContestsWP contest-code-checker allows Retrieve Embedded Sensitive Data.This issue affects Run Contests, Raffles, and Giveaways with ContestsWP: from n/a through <= 2.0.7."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-497", "description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:54.023Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/contest-code-checker/vulnerability/wordpress-run-contests-raffles-and-giveaways-with-contestswp-plugin-2-0-7-sensitive-data-exposure-vulnerability?_s_id=cve"}], "title": "WordPress Run Contests, Raffles, and Giveaways with ContestsWP plugin <= 2.0.7 - Sensitive Data Exposure vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T16:12:02.968658Z", "id": "CVE-2026-25023", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T12:49:45.671Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25023", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-03T16:12:02.968658Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T16:11:55.916Z"}}], "cna": {"title": "WordPress Run Contests, Raffles, and Giveaways with ContestsWP plugin <= 2.0.7 - Sensitive Data Exposure vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "mdedev", "product": "Run Contests, Raffles, and Giveaways with ContestsWP", "versions": [{"status": "affected", "changes": [{"at": "2.1.1", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.0.7"}], "packageName": "contest-code-checker", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:05:00.028Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/contest-code-checker/vulnerability/wordpress-run-contests-raffles-and-giveaways-with-contestswp-plugin-2-0-7-sensitive-data-exposure-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in mdedev Run Contests, Raffles, and Giveaways with ContestsWP contest-code-checker allows Retrieve Embedded Sensitive Data.This issue affects Run Contests, Raffles, and Giveaways with ContestsWP: from n/a through <= 2.0.7.", "supportingMedia": [{"type": "text/html", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in mdedev Run Contests, Raffles, and Giveaways with ContestsWP contest-code-checker allows Retrieve Embedded Sensitive Data.<p>This issue affects Run Contests, Raffles, and Giveaways with ContestsWP: from n/a through <= 2.0.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-497", "description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:54.023Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25023", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:54.023Z", "dateReserved": "2026-01-28T09:51:55.183Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-03T14:08:40.899Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in mdedev Run Contests, Raffles, and Giveaways with ContestsWP contest-code-checker allows Retrieve Embedded Sensitive Data.This issue affects Run Contests, Raffles, and Giveaways with ContestsWP: from n/a through <= 2.0.7."}, {"lang": "es", "value": "Exposici\u00f3n de Informaci\u00f3n Sensible del Sistema a una Esfera de Control No Autorizada vulnerabilidad en mdedev Run Contests, Raffles, and Giveaways with ContestsWP contest-code-checker permite Recuperar Datos Sensibles Incrustados. Este problema afecta a Run Contests, Raffles, y Giveaways con ContestsWP: desde n/a hasta &lt;= 2.0.7."}], "id": "CVE-2026-25023", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-03T15:16:20.710", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/contest-code-checker/vulnerability/wordpress-run-contests-raffles-and-giveaways-with-contestswp-plugin-2-0-7-sensitive-data-exposure-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-497"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:09:29.908103+00:00", "value": {"mitigation_remediation": ["Upgrade the plugin to version 2.0.8 or later, as the vendor has patched the data\u2011exposure issue.", "If an upgrade is not feasible immediately, remove the plugin entirely and replace its functionality with a validated alternative that does not expose sensitive data.", "After removal or upgrade, conduct a review of the WordPress installation for any residual sensitive information that may have been stored by the previous plugin, such as in the database or in deleted files, and enforce strict file permissions to limit read access to the WordPress files."], "summary": {"action": "Immediate Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "Users of the WordPress plugin \"Run Contests, Raffles, and Giveaways with ContestsWP\" from the vendor mdedev, versions up to and including 2.0.7, are affected. The plugin was known to be installed in a variety of WordPress sites and provides contest\u2011management functionality that may store user input and system data.", "description_and_impact": "The vulnerability in the mdedev Run Contests, Raffles, and Giveaways with ContestsWP plugin allows an actor with access to the WordPress administration area to retrieve sensitive system information that the plugin inadvertently exposes. The failure to restrict the modes or permissions of the embedded data results in a failure to prevent unauthorized disclosure, which can lead to exposure of credentials, configuration details, or other proprietary information that an attacker could later leverage to compromise the host platform or further infiltrate the network. The weakness is classified as CWE-497.", "risk_and_exploitability": "The CVSS base score is 5.3, indicating a moderate severity. Likely exploitation would involve an attacker who has gained at least basic administrative access to the WordPress site or can trick an admin into revealing the compromised data, as the plugin\u2019s exposed endpoints do not enforce strict authentication. The EPSS score is below 1%, suggesting that exploitation is rare, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalogue. Nonetheless, the sensitive data exposed could be valuable for attackers, especially if it contains credentials or configuration secrets. Because the vulnerability is tied to a specific plugin rather than the core WordPress engine, remote attackers without site access are not directly able to exploit it, but attackers who succeed in phishing or other social\u2011engineering attacks against site administrators could benefit greatly."}}}}, "created": "2026-02-04T12:09:25.699664+00:00", "updated": "2026-04-16T01:15:20.532810+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}