CVE-2026-25023
Information Exposure in ContestsWP Plugin Allows Sensitive Data Leak
Publication date: 2026-02-03
Last updated on: 2026-02-03
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| contestswp | run_contests_raffles_and_giveaways | to 2.0.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-497 | The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-25023 involves exposure of sensitive data to unauthorized users, which can impact compliance with data protection standards such as GDPR and HIPAA. These regulations require that sensitive personal and health information be adequately protected from unauthorized access. The vulnerability allows unauthenticated attackers to retrieve sensitive information that should be restricted, potentially leading to violations of confidentiality and data protection requirements.
Although the severity is rated as low (CVSS 5.3), any exposure of sensitive data can increase the risk of non-compliance with these standards, as they mandate strict controls on data access and protection. Organizations using the affected plugin should update to version 2.1.1 or later to mitigate this risk and maintain compliance.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability affects the WordPress plugin "Run Contests, Raffles, and Giveaways with ContestsWP" versions up to and including 2.0.7. Detection involves identifying if this vulnerable plugin version is installed on your WordPress site.'}, {'type': 'paragraph', 'content': 'To detect the presence of the vulnerable plugin version, you can check the installed plugins list in your WordPress admin dashboard or use command-line tools to inspect the plugin files.'}, {'type': 'list_item', 'content': 'Use WP-CLI to list installed plugins and their versions: wp plugin list'}, {'type': 'list_item', 'content': "Check the plugin version directly in the plugin's main PHP file, typically located at wp-content/plugins/contest-code-checker/contest-code-checker.php, by looking for the version header."}, {'type': 'list_item', 'content': 'Scan HTTP responses for known vulnerable plugin endpoints or files that may expose sensitive data, for example by using curl or wget commands to request plugin-specific URLs.'}, {'type': 'paragraph', 'content': 'Since the vulnerability allows unauthenticated access to sensitive data, monitoring web server logs for suspicious requests targeting the contest-code-checker plugin endpoints may also help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'No specific detection commands or signatures are provided in the available resources.'}] [1]
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25023 is a Sensitive Data Exposure vulnerability found in the WordPress plugin "Run Contests, Raffles, and Giveaways with ContestsWP" versions up to and including 2.0.7.'}, {'type': 'paragraph', 'content': 'This vulnerability allows unauthenticated attackers to access sensitive information that is normally restricted from regular users.'}, {'type': 'paragraph', 'content': 'It falls under the OWASP Top 10 category A3: Sensitive Data Exposure.'}, {'type': 'paragraph', 'content': 'The issue was reported on January 3, 2026, and publicly disclosed on February 2, 2026.'}, {'type': 'paragraph', 'content': 'The vulnerability is fixed in version 2.1.1 of the plugin.'}] [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized, unauthenticated attackers to retrieve sensitive system information that should be protected.
Although the severity is rated as low (CVSS score 5.3), the exposure of sensitive data could potentially be leveraged to exploit other system weaknesses.
No impactful threat has been observed so far, but the risk remains until the plugin is updated to a fixed version.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability in the Run Contests, Raffles, and Giveaways with ContestsWP plugin, you should update the plugin to version 2.1.1 or later, where the issue is resolved.
Using automated update tools such as those offered by Patchstack can help facilitate rapid protection by automatically updating vulnerable plugins.