cleantalk
Vulnerabilities and Security Researches

Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress, CVE-2025-6716

CVE, Research URL

CVE-2025-6716

Home page URL

Security reports for Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress

Application

Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress

Published on
Jul 11, 2025
Research Description
The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'upload[1][title]' parameter in all versions up to, and including, 26.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
Min -, max 26.0.9.
Status
vulnerable
Previous vulnerability researches
CRM and Lead Management by vcita (CVE-2024-13702) , Mar 27, 2025
CRM and Lead Management by vcita (CVE-2024-13703) , Mar 14, 2025
CRM and Lead Management by vcita (CVE-2023-2405) , Jun 07, 2024
CRM and Lead Management by vcita (CVE-2023-2404) , Jun 07, 2024
New vulnerability
Best WordPress Gallery Plugin – FooGallery (CVE-2025-6068) , Jul 12, 2025
WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg (CVE-2025-48300) , Jul 12, 2025
GB Forms DB (CVE-2025-5392) , Jul 12, 2025
Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid (CVE-2025-34084) , Jul 12, 2025
Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Conten (CVE-2025-34077) , Jul 12, 2025