Contest Gallery
Moderate fix1 remedy
cpe:2.3:a:contest-gallery:contest_gallery:*:*:*:*:wordpress:*:*, +1 more
Moderate fix1 remedy
- <= 27.0.3
WordPress Contest Gallery Plugin CSV Injection Vulnerability
Vulnerability
Patched
A CSV injection vulnerability has been identified in the WordPress Contest Gallery plugin, specifically in the 'Upload, Vote & Sell with PayPal and Stripe' version 27.0.3 and prior. The vulnerability allows unauthenticated users to inject malicious content into CSV files exported from gallery submissions. When these files are opened in a susceptible environment, the injected code could be executed.
Impact
Exploitation of this vulnerability could lead to arbitrary code execution on the local system where the modified CSV file is opened, provided that the system is configured to execute such code from CSV files.
Reproduction
The vulnerability can be reproduced by submitting a gallery entry that includes untrusted data, such as a formula or script, which is then exported to a CSV file. Once the CSV file is opened in a program that supports CSV format, like Microsoft Excel, the injected code could be executed.
Remediation
Users are advised to update the WordPress Contest Gallery plugin to version 28.0.0 or later, where this vulnerability has been patched.
Added: Oct 11, 2025, 9:25 AM
Updated: Oct 11, 2025, 9:25 AM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
2.5exploitability
7.6remediation
7.7relevance
0.7threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.