CVE-2025-48291

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the Contest Gallery plugin for WordPress, versions up to and including 26.0.6. The issue stems from improper neutralization of user-supplied input during web page generation, allowing attackers to inject arbitrary HTML and JavaScript code that gets stored on the server.

Exploitation

Exploitation requires a user with at least contributor-level privileges to inject the malicious payload. However, successful execution also requires an administrator or other privileged user to interact with the injected content (e.g., viewing the affected page). Attackers can leverage this to compromise the admin session or perform actions on behalf of the admin.

Impact

An attacker can inject malicious scripts that execute when other users visit the affected page. This can lead to redirects, defacement, data theft, or further compromise of the WordPress site. The vulnerability is considered moderately dangerous and is expected to be used in mass exploitation campaigns targeting thousands of websites [1].

Mitigation

The vendor has released version 26.0.7 which fixes the vulnerability. Users are strongly advised to update immediately. For those unable to update, Patchstack offers a mitigation rule to block attacks until the update is applied [1].