Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress, CVE-2025-11254

CVE, Research URL: CVE-2025-11254
Home page URL: Security reports for Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress
Application: Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress
Published on: Oct 11, 2025
Research Description: The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 27.0.3 via gallery submissions. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
Affected versions: max 28.0.0.
Status: vulnerable