CVE-2025-3862: 
WordPress vulnerability analysis and mitigation

Contest Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'id' parameter in all versions up to, and including, 26.0.6. The vulnerability was discovered and disclosed on May 8, 2025 (NVD, Wiz).

The vulnerability exists due to insufficient input sanitization and output escaping of the 'id' parameter in the Contest Gallery WordPress plugin. This security flaw has been assigned a CVSS v3.1 Base Score of 6.4 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N). The vulnerability affects authenticated users with Contributor-level access and above (NVD, Wiz).

The vulnerability allows authenticated attackers with Contributor-level privileges or higher to inject malicious web scripts that execute whenever a user accesses an affected page. This could lead to theft of sensitive information, session hijacking, or other client-side attacks against site visitors (Wiz).

The vulnerability has been patched in version 26.0.7 of the Contest Gallery plugin. Site administrators should update to this version immediately. The fix includes improved input sanitization and output escaping for the 'id' parameter (Wiz).