CVE-2025-1513
Published: 28 February 2025
Summary
CVE-2025-1513 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Contest-Gallery Contest Gallery. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-1513 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, in the Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons plugin for WordPress. It affects all versions up to and including 26.0.0.1 due to insufficient input sanitization and output escaping in the Name and Comment fields when users comment on photo gallery entries. This flaw enables the injection of arbitrary web scripts into pages, with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating high severity due to its network accessibility, low complexity, lack of privileges or user interaction required, and changed scope.
Unauthenticated attackers can exploit the vulnerability by submitting malicious scripts via the Name or Comment fields during photo gallery comments. The injected scripts are then stored persistently and execute in the browser context of any user who views the affected page, potentially compromising confidentiality and integrity through actions like stealing cookies, session tokens, or sensitive data displayed on the page.
Advisories reference a patch in the WordPress plugin trac repository at changeset 3245199 for the contest-gallery repository, indicating remediation through an updated plugin version. Wordfence threat intelligence provides further details on the vulnerability at their dedicated page.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5476
Vulnerability details
The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Name and Comment field when commenting on photo…
more
gallery entries in all versions up to, and including, 26.0.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing WordPress plugin directly enables T1190 exploitation; facilitates browser session hijacking (T1185) and web session cookie theft (T1539) via injected scripts.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly addresses insufficient input sanitization by requiring validation of Name and Comment fields to block malicious script injection.
SI-15 mitigates lack of output escaping by filtering rendered content from comments to prevent arbitrary script execution on page views.
SI-2 ensures flaw remediation through patching the plugin vulnerability as referenced in the advisory changeset.