CVE-2025-12849 MEDIUM

CVE-2025-12849: Contest Gallery <= 28.0.2 - Missing Authorization

Vendor Contest-Gallery
Product Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe
Weakness CWE-862 · Missing authorization
Published November 15, 2025
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Contest Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 28.0.2. This is due to the plugin registering the `cg_check_wp_admin_upload_v10` AJAX action for both authenticated and unauthenticated users without implementing capability checks or nonce verification. This makes it possible for unauthenticated attackers to inject arbitrary WordPress media attachments into galleries and manipulate gallery metadata via the `cg_check_wp_admin_upload_v10` action. It does not enable an attacker to move or upload files.

Key dates

02Disclosure timeline

November 15, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-46557 Any user with view access to the XWiki space can change the authenticator CVE-2024-30463 WordPress BEAR plugin <= 1.1.4.3 - Broken Access Control vulnerability CVE-2025-42899 Missing Authorization check in SAP S4CORE (Manage Journal Entries) CVE-2024-8432 Appointment & Event Booking Calendar Plugin – Webba Booking <= 5.0.48 - Missing Authorization to Authenticated (Subscriber+) CSS Settings Update CVE-2024-10272 Broken Access Control in lunary-ai/lunary