Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe WordPress Plugin Security Vulnerabilities | WPScan

47

March 1, 2026

1000

Published

2026-03-02

Title

Contest Gallery < 28.1.5 - Unauthenticated SQL Injection

Fixed in

Fixed in 28.1.5

CVSS

7.5 (high)

Published

2026-01-09

Title

Contest Gallery < 28.1.2 - Missing Authorization

Fixed in

Fixed in 28.1.2

CVSS

4.3 (medium)

Published

2025-11-14

Title

Contest Gallery < 28.0.3 - Missing Authorization

Fixed in

Fixed in 28.0.3

CVSS

5.3 (medium)

Published

2025-10-12

Title

Contest Gallery < 28.0.1 - Cross-Site Request Forgery

Fixed in

Fixed in 28.0.1

CVSS

4.3 (medium)

Published

2025-10-10

Title

Contest Gallery – Upload, Vote & Sell with PayPal and Stripe < 28.0.0 - Unauthenticated CSV Injection

Fixed in

Fixed in 28.0.0

CVSS

4.3 (medium)

Published

2025-10-03

Title

Contest Gallery – Upload, Vote & Sell with PayPal and Stripe < 27.0.3 - Authenticated (Author+) Stored Cross-Site Scripting

Fixed in

Fixed in 27.0.3

CVSS

6.4 (medium)

Published

2025-07-31

Title

Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI < 26.1.1 - Unauthenticated Stored Cross-Site Scripting

Fixed in

Fixed in 26.1.1

CVSS

7.2 (high)

Published

2025-07-11

Title

Contest Gallery < 26.0.7 - Reflected Cross-Site Scripting

Fixed in

Fixed in 26.0.7

CVSS

6.1 (medium)

Published

2025-07-10

Title

Contest Gallery < 26.0.9 - Authenticated (Author+) Stored Cross-Site Scripting

Fixed in

Fixed in 26.0.9

CVSS

6.4 (medium)

Published

2025-05-07

Title

Contest Gallery < 26.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

Fixed in

Fixed in 26.0.7

CVSS

6.4 (medium)

Published

2025-02-27

Title

Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons < 26.0.1 - Unauthenticated Stored Cross-Site Scripting

Fixed in

Fixed in 26.0.1

CVSS

7.2 (high)

Published

2025-01-31

Title

Contest Gallery < 25.1.2 - Authenticated (Author+) SQL Injection

Fixed in

Fixed in 25.1.2

CVSS

6.5 (medium)

Published

2024-12-30

Title

Contest Gallery < 24.0.4 - Authenticated (Author+) Stored Cross-Site Scripting

Fixed in

Fixed in 24.0.4

CVSS

6.4 (medium)

Published

2024-11-27

Title

Contest Gallery < 24.0.8 - Unauthenticated Arbitrary Password Reset

Fixed in

Fixed in 24.0.8

CVSS

9.8 (critical)

Published

2024-11-04

Title

Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons < 24.0.4 - Unauthenticated SQL Injection

Fixed in

Fixed in 24.0.4

CVSS

9.8 (critical)

Published

2024-08-16

Title

Contest Gallery < 23.1.3 - Unauthenticated Information Exposure

Fixed in

Fixed in 23.1.3

CVSS

5.3 (medium)

Published

2024-07-24

Title

Contest Gallery < 23.1.3 - Unauthenticated Stored Cross-Site Scripting

Fixed in

Fixed in 23.1.3

CVSS

6.1 (medium)

Published

2024-04-22

Title

Contest Gallery < 21.3.5 - Authenticated (Author+) Arbitrary File Deletion

Fixed in

Fixed in 21.3.5

CVSS

4.3 (medium)

Published

2024-03-28

Title

Contest Gallery < 21.3.6 - Reflected Cross-Site Scripting

Fixed in

Fixed in 21.3.6

CVSS

6.1 (medium)

Published

2024-03-26

Title

Photos and Files Contest Gallery < 21.3.5 - Authenticated (Contributor+) SQL Injection

Fixed in

Fixed in 21.3.5

CVSS

9.9 (critical)

Published

2024-03-26

Title

Photos and Files Contest Gallery < 21.3.2.1 - Authenticated (Contributor+) SQL Injection

Fixed in

Fixed in 21.3.2.1

CVSS

9.9 (critical)

Published

2024-02-14

Title

Photos and Files Contest Gallery < 21.3.1 - Author+ Stored Cross Site Scripting

Fixed in

Fixed in 21.3.1

CVSS

6.8 (medium)

Published

2024-02-05

Title

Contest Gallery < 21.2.9 - Cross-Site Request Forgery

Fixed in

Fixed in 21.2.9

CVSS

4.3 (medium)

Published

2023-10-09

Title

Photos and Files Contest Gallery – Contact Form < 21.2.8.1 - Unauthenticated Stored XSS via HTTP Headers

Fixed in

Fixed in 21.2.8.1

CVSS

8.8 (high)

Published

2023-03-27

Title

Contest Gallery < 21.1.2.1 - Reflected XSS

Fixed in

Fixed in 21.1.2.1

CVSS

7.1 (high)

Published

2022-12-05

Title

Contest Gallery < 19.1.5.1 - Author+ SQL Injection

Fixed in

Fixed in 19.1.5.1

CVSS

6.8 (medium)

Published

2022-12-05

Title

Contest Gallery < 19.1.5 - Author+ SQL Injection

Fixed in

Fixed in 19.1.5

CVSS

6.8 (medium)

Published

2022-12-05

Title

Contest Gallery < 19.1.5 - Author+ SQL Injection

Fixed in

Fixed in 19.1.5

CVSS

6.8 (medium)

Published

2022-12-05

Title

Contest Gallery < 19.1.5 - Admin+ SQL Injection

Fixed in

Fixed in 19.1.5

CVSS

4.1 (medium)

Published

2022-12-05

Title

Contest Gallery < 19.1.5 - Author+ SQL Injection

Fixed in

Fixed in 19.1.5

CVSS

6.8 (medium)

Published

2022-12-05

Title

Contest Gallery < 19.1.5 - Admin+ SQL Injection

Fixed in

Fixed in 19.1.5

CVSS

4.1 (medium)

Published

2022-12-05

Title

Contest Gallery < 19.1.5 - Author+ SQL Injection

Fixed in

Fixed in 19.1.5

CVSS

6.8 (medium)

Published

2022-12-05

Title

Contest Gallery < 19.1.5.1 - Author+ SQL Injection

Fixed in

Fixed in 19.1.5.1

CVSS

6.8 (medium)

Published

2022-12-05

Title

Contest Gallery < 19.1.5 - Author+ SQL Injection

Fixed in

Fixed in 19.1.5

CVSS

6.8 (medium)

Published

2022-12-05

Title

Contest Gallery < 19.1.5 - Author+ SQL Injection

Fixed in

Fixed in 19.1.5

CVSS

6.8 (medium)

Published

2022-12-05

Title

Contest Gallery < 19.1.5 - Author+ SQL Injection

Fixed in

Fixed in 19.1.5

CVSS

6.8 (medium)

Published

2022-12-05

Title

Contest Gallery < 19.1.5 - Unauthenticated SQL Injection

Fixed in

Fixed in 19.1.5

CVSS

8.6 (high)

Published

2022-12-05

Title

Contest Gallery < 19.1.5 - Admin+ SQL Injection

Fixed in

Fixed in 19.1.5

CVSS

4.1 (medium)

Published

2022-12-05

Title

Contest Gallery < 19.1.5 - Author+ SQL Injection

Fixed in

Fixed in 19.1.5

CVSS

6.8 (medium)

Published

2022-12-05

Title

Contest Gallery < 19.1.5.1 - Unauthenticated SQL Injection

Fixed in

Fixed in 19.1.5.1

CVSS

8.6 (high)

Published

2022-12-05

Title

Contest Gallery < 19.1.5 - Author+ SQL Injection

Fixed in

Fixed in 19.1.5

CVSS

6.8 (medium)

Published

2022-11-23

Title

Contest Gallery < 14.0.0 - Unauthenticated Stored XSS

Fixed in

Fixed in 14.0.0

CVSS

6.1 (medium)

Published

2022-08-09

Title

Contest Gallery < 17.0.5 - Author+ SQLi

Fixed in

Fixed in 17.0.5

CVSS

7.6 (high)

Published

2021-12-20

Title

Contest Gallery < 14.0.0 - Author+ Stored Cross-Site Scripting

Fixed in

Fixed in 14.0.0

CVSS

4.8 (medium)

Published

2021-11-01

Title

Contest Gallery < 13.1.0.6 - Missing Access Controls to Unauthenticated SQL injection / Email Address Disclosure

Fixed in

Fixed in 13.1.0.6

CVSS

8.6 (high)

Published

2021-11-01

Title

Contest Gallery < 13.1.0.7 - Subscriber+ Email Address Disclosure

Fixed in

Fixed in 13.1.0.7

CVSS

6.5 (medium)

Published

2019-06-12

Title

Contest Gallery <= 10.4.4 - Cross-Site Request Forgery (CSRF)

Fixed in

Fixed in 10.4.5

CVSS

8.8 (high)