Introduction
Malicious JavaScript injected through a simple contest comment can compromise every visitor to a WordPress site running Contest Gallery. This vulnerability impacts any site using the plugin up to version 26.1.0, allowing attackers to persistently execute code in users' browsers without authentication.
About the software: Contest Gallery is a specialized WordPress plugin for running photo and video contests, supporting uploads, voting, e-commerce via PayPal and Stripe, and social sharing. It has over 1,000 active installations and is maintained by Wasiliy Strecker. The plugin is widely used in niche communities and small businesses that rely on user engagement and media-driven campaigns.
Technical Information
CVE-2025-7725 is a stored cross-site scripting vulnerability in the comment feature of the Contest Gallery WordPress plugin. The vulnerability is present in all versions up to and including 26.1.0. The root cause is insufficient input sanitization and output escaping when processing user-submitted comments. Specifically, when a user submits a comment, the plugin fails to properly sanitize the input or escape output before rendering it on the gallery or entry page. This allows an attacker to inject arbitrary JavaScript payloads that are stored in the WordPress database.
When another user visits a page containing the malicious comment, the JavaScript executes in their browser context. The attack does not require authentication, making it accessible to any external attacker. The flaw is similar to other XSS issues previously reported in this plugin, which also stemmed from improper handling of user input in various fields. No specific code snippets or exploit payloads have been published in public sources as of this writing.
Affected Systems and Versions
- Contest Gallery WordPress plugin
- All versions up to and including 26.1.0
- Any WordPress site with the plugin installed and comments enabled is vulnerable
Vendor Security History
The Contest Gallery plugin has experienced multiple XSS vulnerabilities in 2025:
- CVE-2025-3862: XSS via 'id' parameter (≤ 26.0.6)
- CVE-2025-1513: XSS via Name and Comment fields (≤ 26.0.0.1)
- CVE-2025-6716: Authenticated (Author+) stored XSS
- CVE-2025-48291: Stored XSS (≤ 26.0.6)
Security fixes have been released in several minor versions, but the recurrence of similar flaws indicates ongoing challenges with secure coding practices, particularly around input validation and output escaping. The vendor's response has been reactive, with updates following public disclosure.
