5.3
CVE-2025-12849
- EPSS 0.15%
- Veröffentlicht 15.11.2025 06:41:31
- Zuletzt bearbeitet 18.11.2025 14:06:55
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
Contest Gallery <= 28.0.2 - Missing Authorization
The Contest Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 28.0.2. This is due to the plugin registering the `cg_check_wp_admin_upload_v10` AJAX action for both authenticated and unauthenticated users without implementing capability checks or nonce verification. This makes it possible for unauthenticated attackers to inject arbitrary WordPress media attachments into galleries and manipulate gallery metadata via the `cg_check_wp_admin_upload_v10` action. It does not enable an attacker to move or upload files.
Mögliche Gegenmaßnahme
Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe: Update to version 28.0.3, or a newer patched version
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginWeitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe
Version
*-28.0.2
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellercontest-gallery
≫
Produkt
Contest Gallery – Upload, Vote & Sell with PayPal and Stripe
Default Statusunaffected
Version <=
28.0.2
Version
*
Status
affected
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.15% | 0.356 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@wordfence.com | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.