cleantalk
Vulnerabilities and Security Researches

Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress, CVE-2025-6716

CVE, Research URL

CVE-2025-6716

Home page URL

Security reports for Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress

Application

Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress

Published on
Jul 11, 2025
Research Description
The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'upload[1][title]' parameter in all versions up to, and including, 26.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
Min -, max 26.0.9.
Status
vulnerable
Previous vulnerability researches
Ad Blocking Detector (CVE-2025-22732) , Jan 19, 2025
Ad Blocking Detector (CVE-2014-125093) , Jun 06, 2024
New vulnerability
Lana Downloads Manager (CVE-2025-7387) , Jul 12, 2025
Internal Linking of Related Contents (CVE-2025-49884) , Jul 12, 2025
Sharable Password Protected Posts (CVE-2025-5920) , Jul 12, 2025
Friends (CVE-2025-7504) , Jul 12, 2025
Gutenberg Blocks by Kadence Blocks – Page Builder Features (CVE-2025-5678) , Jul 12, 2025