The Contest Gallery plugin for WordPress, widely used to manage contests with features like uploading, voting, and selling via PayPal and Stripe, suffers from an authorization bypass vulnerability identified as CVE-2025-12849. The root cause is the registration of the AJAX action `cg_check_wp_admin_upload_v10` for both authenticated and unauthenticated users without enforcing capability checks or nonce verification, violating secure coding practices and CWE-862 (Missing Authorization). This flaw enables unauthenticated attackers to inject arbitrary media attachments into galleries and alter gallery metadata, potentially leading to content manipulation or defacement. Although the vulnerability does not permit direct file uploads or movement, the ability to inject media attachments can be leveraged for social engineering, misinformation, or to embed malicious content indirectly. The CVSS 3.1 base score of 5.3 reflects a medium severity, with an attack vector of network (remote), no privileges required, no user interaction needed, and limited impact on integrity but no impact on confidentiality or availability. No public exploits have been reported yet, but the vulnerability's presence in all versions up to 28.0.2 means many WordPress sites remain at risk until patched or mitigated.

For European organizations, this vulnerability could lead to unauthorized manipulation of contest galleries on WordPress sites, potentially damaging brand reputation and user trust. Attackers might inject misleading or malicious media content, which could be used for phishing, spreading misinformation, or defacing websites. Although the vulnerability does not allow direct file uploads, the ability to manipulate gallery metadata and attachments could facilitate indirect attacks or social engineering campaigns. Organizations relying on the Contest Gallery plugin for customer engagement or e-commerce (via PayPal and Stripe integrations) may face disruptions or loss of customer confidence. Furthermore, regulatory implications under GDPR could arise if manipulated content leads to data misuse or harms user privacy indirectly. The medium severity score suggests a moderate risk, but the ease of exploitation (no authentication or user interaction required) increases the urgency for mitigation.

1. Immediate update: Apply any available patches or updates from the plugin vendor once released. Since no patch links are currently provided, monitor vendor announcements closely. 2. Access control hardening: Temporarily restrict access to the AJAX action by implementing custom capability checks or nonce verification via WordPress hooks or firewall rules. 3. Web Application Firewall (WAF): Deploy or update WAF rules to detect and block unauthorized requests to the `cg_check_wp_admin_upload_v10` AJAX endpoint, especially from unauthenticated users. 4. Plugin audit: Review all installed WordPress plugins for similar authorization issues and remove or disable unused or untrusted plugins. 5. Monitoring and logging: Enable detailed logging of AJAX requests and media attachment changes to detect suspicious activity promptly. 6. User education: Inform site administrators about the vulnerability and encourage vigilance against unusual gallery content or metadata changes. 7. Backup: Maintain regular backups of WordPress sites and media libraries to enable quick restoration if manipulation occurs.