CVE-2025-22693

High

Published: 03 February 2025

Published

03 February 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

EPSS Score 0.0003 7.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows SQL Injection.This issue affects Contest Gallery: from n/a through <= 25.1.0.

Security Summary

CVE-2025-22693 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89. It affects the Contest Gallery WordPress plugin (contest-gallery) developed by Wasiliy Strecker / ContestGallery, impacting all versions from n/a through 25.1.0.

The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L). It can be exploited over the network with low attack complexity by authenticated users possessing high privileges, requiring no user interaction. Exploitation enables high-impact confidentiality violations, such as unauthorized data extraction from the database, alongside low availability disruption and changed scope, but no integrity impact.

The Patchstack advisory provides further details on this WordPress Contest Gallery plugin 25.1.0 SQL injection vulnerability, including mitigation guidance: https://patchstack.com/database/Wordpress/Plugin/contest-gallery/vulnerability/wordpress-contest-gallery-plugin-25-1-0-sql-injection-vulnerability?_s_id=cve.

Details

CWE(s): CWE-89

Affected Products

contest-gallery

contest gallery

≤ 25.1.2

References

https://patchstack.com/database/Wordpress/Plugin/contest-gallery/vulnerability/wordpress-contest-gallery-plugin-25-1-0-sql-injection-vulnerability?_s_id=cve
Third Party Advisory · audit@patchstack.com