CVE-2025-62950: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was identified in the Contest Gallery WordPress plugin, tracked as CVE-2025-62950. The vulnerability affects versions up to and including 28.0.0 of the Contest Gallery plugin developed by Wasiliy Strecker. The issue was discovered and publicly disclosed on October 12, 2025 (Wordfence, Rapid7).

The vulnerability stems from missing or incorrect nonce validation on a function within the Contest Gallery plugin. The severity of this vulnerability has been assessed with a CVSS v3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability has been classified under CWE-352 (Cross-Site Request Forgery) (NVD, Patchstack).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. This could potentially lead to unauthorized actions being performed on behalf of authenticated administrators (Patchstack).

The vulnerability has been fixed in version 28.0.1 of the Contest Gallery plugin. Site administrators are advised to update to version 28.0.1 or later to remove the vulnerability. Patchstack users have the option to enable auto-update for vulnerable plugins (Patchstack).