The Contest Gallery plugin for WordPress, used for uploading, voting, and selling contest entries with PayPal and Stripe integration, suffers from an authorization bypass vulnerability identified as CVE-2025-12849. This vulnerability stems from the plugin registering the AJAX action 'cg_check_wp_admin_upload_v10' for both authenticated and unauthenticated users without enforcing capability checks or nonce verification, violating secure authorization practices (CWE-862). As a result, unauthenticated attackers can invoke this AJAX endpoint to inject arbitrary WordPress media attachments into galleries and modify gallery metadata. Importantly, the vulnerability does not allow attackers to upload or move files on the server, limiting the attacker's capabilities to manipulating existing media attachments and metadata. The vulnerability affects all versions up to and including 28.0.2. The CVSS v3.1 base score is 5.3 (medium severity), reflecting network attack vector, no privileges required, no user interaction, and impact limited to integrity. No known exploits have been reported in the wild as of the publication date. The root cause is the lack of proper authorization checks on an AJAX action accessible to unauthenticated users, which is a common security oversight in WordPress plugin development. This flaw could be exploited to manipulate gallery content, potentially misleading users or damaging the integrity of contest results or sales data. The absence of file upload or movement capability reduces the risk of more severe attacks such as remote code execution or persistent backdoors. However, the integrity impact can still harm trust and business operations relying on accurate contest galleries.

The primary impact of CVE-2025-12849 is on the integrity of WordPress sites using the Contest Gallery plugin. Attackers can inject arbitrary media attachments and alter gallery metadata without authentication, potentially misleading users, corrupting contest results, or manipulating sales-related content. This can damage the reputation of organizations relying on contest galleries for marketing or e-commerce purposes. Although confidentiality and availability are not directly affected, the unauthorized content manipulation could lead to loss of customer trust and possible financial impact if manipulated galleries influence purchasing decisions or contest outcomes. The vulnerability's ease of exploitation (no authentication or user interaction required) increases risk, especially for high-traffic sites. Since the plugin integrates with PayPal and Stripe, indirect financial risks exist if manipulated galleries affect payment or sales processes. Organizations worldwide using this plugin in e-commerce, marketing, or community engagement contexts are at risk. The lack of known exploits in the wild suggests limited current exploitation but also indicates the need for proactive mitigation before attackers develop weaponized exploits.

1. Immediately update the Contest Gallery plugin to a patched version once released by the vendor addressing CVE-2025-12849. 2. Until a patch is available, restrict access to the AJAX action 'cg_check_wp_admin_upload_v10' by implementing server-level access controls (e.g., IP whitelisting or authentication requirements) to prevent unauthenticated requests. 3. Use WordPress security plugins or web application firewalls (WAFs) to monitor and block suspicious AJAX requests targeting this action. 4. Review and harden WordPress user roles and capabilities to minimize exposure of sensitive plugin functions. 5. Conduct regular audits of media attachments and gallery metadata to detect unauthorized changes. 6. Educate site administrators about the risk and signs of exploitation to enable rapid response. 7. Consider disabling or replacing the Contest Gallery plugin with alternative solutions if immediate patching is not feasible. 8. Monitor threat intelligence sources for emerging exploits targeting this vulnerability to adjust defenses accordingly.