CVE-2025-10383 is a stored Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin 'Contest Gallery – Upload, Vote & Sell with PayPal and Stripe' in all versions up to and including 27.0.2. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient input sanitization and output escaping of user-supplied data in multiple form field parameters. Authenticated users with author-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim. The vulnerability does not require user interaction beyond visiting the compromised page and does not require elevated privileges beyond author-level access, which is a common role in WordPress environments. The CVSS v3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required (low), no user interaction, and a scope change with limited confidentiality and integrity impact but no availability impact. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is significant because the plugin integrates payment systems (PayPal and Stripe) and is used for contest galleries, which may involve sensitive user-generated content and financial transactions, increasing the risk if exploited.

For European organizations using WordPress sites with the vulnerable Contest Gallery plugin, this XSS vulnerability poses a moderate risk. Exploitation could lead to theft of session cookies, enabling attackers to impersonate legitimate users, including potentially administrative users if they visit the injected pages. This could result in unauthorized content modification, defacement, or manipulation of contest entries and votes, undermining trust and integrity of the platform. Given the plugin’s integration with payment gateways like PayPal and Stripe, attackers might leverage the XSS to conduct phishing attacks or redirect users to malicious payment pages, potentially causing financial fraud or data leakage. The impact is particularly relevant for organizations handling personal data under GDPR, as exploitation could lead to data breaches and regulatory penalties. Additionally, the stored nature of the XSS means the malicious script persists on the server, affecting multiple users over time. The medium severity score reflects that while the vulnerability does not directly compromise availability or cause immediate system takeover, the confidentiality and integrity of user data and transactions are at risk, which can have reputational and financial consequences for European businesses.

1. Immediate mitigation should involve restricting author-level privileges to trusted users only, minimizing the risk of malicious script injection. 2. Implement strict input validation and output encoding on all user-supplied data fields in the plugin, especially those related to form inputs. 3. Apply Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages. 4. Monitor and audit user-generated content for suspicious scripts or anomalies regularly. 5. If possible, disable or remove the vulnerable plugin until an official patch is released. 6. Educate site administrators and users about the risks of XSS and encourage cautious behavior when clicking on links or interacting with contest pages. 7. Use Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads targeting this plugin. 8. Once available, promptly apply vendor patches or updates addressing this vulnerability. 9. Conduct penetration testing focusing on XSS vectors in the contest gallery functionality to identify any residual risks.