Contest Gallery WordPress Plugin CVE-2025-7725: Brief Summary of Stored XSS Vulnerability

A brief summary of CVE-2025-7725, a stored cross-site scripting vulnerability affecting the Contest Gallery WordPress plugin up to version 26.1.0. This post covers technical details, affected versions, vendor security history, and key references.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-07-31

Contest Gallery WordPress Plugin CVE-2025-7725: Brief Summary of Stored XSS Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Malicious JavaScript injected through a simple contest comment can compromise every visitor to a WordPress site running Contest Gallery. This vulnerability impacts any site using the plugin up to version 26.1.0, allowing attackers to persistently execute code in users' browsers without authentication.

About the software: Contest Gallery is a specialized WordPress plugin for running photo and video contests, supporting uploads, voting, e-commerce via PayPal and Stripe, and social sharing. It has over 1,000 active installations and is maintained by Wasiliy Strecker. The plugin is widely used in niche communities and small businesses that rely on user engagement and media-driven campaigns.

Technical Information

CVE-2025-7725 is a stored cross-site scripting vulnerability in the comment feature of the Contest Gallery WordPress plugin. The vulnerability is present in all versions up to and including 26.1.0. The root cause is insufficient input sanitization and output escaping when processing user-submitted comments. Specifically, when a user submits a comment, the plugin fails to properly sanitize the input or escape output before rendering it on the gallery or entry page. This allows an attacker to inject arbitrary JavaScript payloads that are stored in the WordPress database.

When another user visits a page containing the malicious comment, the JavaScript executes in their browser context. The attack does not require authentication, making it accessible to any external attacker. The flaw is similar to other XSS issues previously reported in this plugin, which also stemmed from improper handling of user input in various fields. No specific code snippets or exploit payloads have been published in public sources as of this writing.

Affected Systems and Versions

  • Contest Gallery WordPress plugin
  • All versions up to and including 26.1.0
  • Any WordPress site with the plugin installed and comments enabled is vulnerable

Vendor Security History

The Contest Gallery plugin has experienced multiple XSS vulnerabilities in 2025:

  • CVE-2025-3862: XSS via 'id' parameter (≤ 26.0.6)
  • CVE-2025-1513: XSS via Name and Comment fields (≤ 26.0.0.1)
  • CVE-2025-6716: Authenticated (Author+) stored XSS
  • CVE-2025-48291: Stored XSS (≤ 26.0.6)

Security fixes have been released in several minor versions, but the recurrence of similar flaws indicates ongoing challenges with secure coding practices, particularly around input validation and output escaping. The vendor's response has been reactive, with updates following public disclosure.

References

Detect & fix
what others miss