CVE-2025-12849 is an authorization bypass vulnerability identified in the Contest Gallery – Upload, Vote & Sell with PayPal and Stripe WordPress plugin, affecting all versions up to and including 28.0.2. The root cause is the plugin's registration of the AJAX action 'cg_check_wp_admin_upload_v10' for both authenticated and unauthenticated users without enforcing capability checks or nonce verification, which are standard WordPress security mechanisms to validate user permissions and prevent CSRF attacks. This design flaw enables unauthenticated attackers to invoke this AJAX endpoint and inject arbitrary WordPress media attachments into galleries, as well as manipulate gallery metadata. Although attackers cannot upload new files or move existing files on the server, the ability to inject media attachments and alter metadata can lead to unauthorized content display, potential misinformation, or defacement of galleries. The vulnerability impacts the integrity of the affected WordPress sites but does not compromise confidentiality or availability directly. The CVSS 3.1 base score is 5.3 (medium severity), reflecting the network attack vector, no privileges required, no user interaction needed, and limited impact confined to integrity. No patches or exploit code are currently publicly available, and no known active exploitation has been reported. The vulnerability is cataloged under CWE-862 (Missing Authorization).

For European organizations, this vulnerability poses a moderate risk primarily to the integrity of WordPress sites using the Contest Gallery plugin. Attackers could manipulate gallery content by injecting unauthorized media attachments or altering metadata, potentially damaging brand reputation, misleading users, or facilitating social engineering attacks. While it does not allow file uploads or server compromise, unauthorized content manipulation can undermine trust and may be leveraged as part of broader attack chains. Organizations in sectors relying heavily on public-facing WordPress galleries—such as media, e-commerce, cultural institutions, and event organizers—are particularly at risk. Additionally, GDPR considerations arise if manipulated galleries lead to misinformation or affect user data indirectly. The vulnerability's ease of exploitation (no authentication or user interaction required) increases the likelihood of opportunistic attacks, especially on sites without timely updates or mitigations.

Immediate mitigation steps include disabling or restricting access to the 'cg_check_wp_admin_upload_v10' AJAX action if possible, for example by implementing custom capability checks or nonce verification via WordPress hooks or firewall rules. Organizations should monitor web server logs for unusual AJAX requests targeting this action. Applying updates to the plugin once a patch is released is critical; until then, consider temporarily deactivating the Contest Gallery plugin if galleries are not essential or replacing it with alternative plugins that follow secure coding practices. Web Application Firewalls (WAFs) can be configured to block unauthenticated requests to this AJAX endpoint. Additionally, hardening WordPress installations by enforcing strict user roles and permissions, limiting plugin installations to trusted sources, and conducting regular security audits will reduce exposure. Backup and recovery plans should be reviewed to quickly restore any manipulated content. Finally, educating site administrators about this vulnerability and encouraging prompt patch management is essential.