CVE-2025-23538

Vulnerability

Overview The WP Contest plugin for WordPress, version 1.0.0 and earlier, suffers from a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This allows an attacker to inject arbitrary HTML and JavaScript into the response.

Exploitation

Details Exploitation requires user interaction, such as clicking a crafted link or visiting a specially prepared page [1]. The attacker does not need authentication, but the target user must have certain privileges (e.g., administrator) for the attack to succeed. This makes it suitable for mass-exploit campaigns targeting thousands of sites.

Impact

Successful exploitation enables the attacker to execute malicious scripts in the context of the victim's browser, potentially leading to redirects, advertisement injection, or other HTML payloads that affect site visitors [1].

Mitigation

As of the advisory, no official patch has been released. Users are advised to update the plugin immediately if a fix becomes available. In the meantime, Patchstack offers a mitigation rule to block attacks [1]. Site administrators should also consider asking their hosting provider for assistance.