CVE-2025-3862
📋 TL;DR
The Contest Gallery WordPress plugin has a stored cross-site scripting (XSS) vulnerability in all versions up to 26.0.6. Authenticated attackers with Contributor-level access or higher can inject malicious scripts via the 'id' parameter, which execute when users view compromised pages. This affects WordPress sites using vulnerable versions of the plugin.
💻 Affected Systems
- Contest Gallery WordPress Plugin
📦 What is this software?
Contest Gallery by Contest Gallery
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, deface websites, or perform actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Attackers with contributor access inject malicious scripts to steal administrator cookies or session tokens, leading to privilege escalation and further site compromise.
If Mitigated
With proper input validation and output escaping, the vulnerability is prevented, and only trusted users can modify content.
🎯 Exploit Status
Exploitation requires authenticated access (Contributor role or higher). The vulnerability is in a publicly accessible parameter with insufficient sanitization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 26.0.7
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3288915
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Contest Gallery and click 'Update Now'. 4. Verify update to version 26.0.7 or later.
🔧 Temporary Workarounds
Temporary Input Sanitization
allAdd custom sanitization for the 'id' parameter in WordPress theme functions.php or a custom plugin.
// Add to functions.php or custom plugin
add_filter('preprocess_contest_gallery_id', 'sanitize_contest_gallery_id');
function sanitize_contest_gallery_id($id) {
return intval($id); // Force integer type
}
🧯 If You Can't Patch
- Restrict user roles: Remove Contributor access or limit to trusted users only.
- Implement web application firewall (WAF) rules to block XSS payloads in the 'id' parameter.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Contest Gallery version. If version is 26.0.6 or lower, it is vulnerable.Check Version:
wp plugin list --name='contest-gallery' --field=versionVerify Fix Applied:
After updating, confirm Contest Gallery version is 26.0.7 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to contest-gallery endpoints with script tags in 'id' parameter
- Multiple failed login attempts followed by successful contributor-level access
Network Indicators:
- HTTP requests containing malicious script payloads in URL parameters
- Unexpected outbound connections from WordPress site after page views
SIEM Query:
source="wordpress.log" AND ("contest-gallery" OR "cg_entry_on_off") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")🔗 References
- https://plugins.trac.wordpress.org/browser/contest-gallery/tags/26.0.5/shortcodes/cg_entry_on_off.php#L20
- https://plugins.trac.wordpress.org/browser/contest-gallery/tags/26.0.7/shortcodes/cg_entry_on_off.php#L20
- https://plugins.trac.wordpress.org/changeset/3288915
- https://wordpress.org/plugins/contest-gallery/#developers
- https://www.contest-gallery.com/documentation/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a1b043a1-7bee-4ef0-86d9-19cf202cfc71?source=cve
