CVE-2025-1513Cross-site Scripting in Contest Gallery

CWE-79Cross-site ScriptingCWE-665Improper Initialization4 documents4 sources
Severity
6.1MEDIUMNVD
CNA7.2
EPSS
0.5%
top 32.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Contest-gallery Contest Gallery
Timeline
PublishedFeb 28

Description

The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Name and Comment field when commenting on photo gallery entries in all versions up to, and including, 26.0.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execu

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

Patches

Patch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
GHSA
GHSA-4h65-5qp6-cgrp: The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons plug2025-02-28
CVEList
Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons <= 26.0.0.1 - Unauthenticated Stored Cross-Site Scripting2025-02-28

📋Vendor Advisories

1
Microsoft
A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl on 32-bit systems there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace causing 2023-03-14
CVE-2025-1513 — Cross-site Scripting in Contest Gallery | cvebase