WP-Safety

Photo Contest | Competition | Video Contest Security & Risk Analysis

wordpress.org/plugins/totalcontest-lite

If you're looking to host a contest or competition on your WordPress website, TotalContest is the perfect plugin for you.

300 active installs v2.9.1 PHP 5.6+ WP 4.8+ Updated Sep 5, 2025
contestgallerygiveawayphoto-contestvideo-contest
99
A · Safe
CVEs total1
Unpatched0
Last CVEFeb 3, 2025
Plugin page Download
Safety Verdict

Is Photo Contest | Competition | Video Contest Safe to Use in 2026?

Generally Safe

Score 99/100

Photo Contest | Competition | Video Contest has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Feb 3, 2025Updated 7mo ago
Risk Assessment

The totalcontest-lite v2.9.1 plugin exhibits a mixed security posture. On the positive side, it demonstrates strong practices in SQL query handling with 100% prepared statements and generally good output escaping with 99% of outputs properly handled. The absence of critical or high severity taint flows is also a positive sign. However, a significant concern arises from the large attack surface, with 28 out of 39 entry points lacking proper authentication checks. This could expose the plugin to various unauthorized actions if not adequately secured by the WordPress installation.

The vulnerability history shows a past medium severity Cross-site Scripting (XSS) vulnerability, which, while not currently unpatched, indicates a potential for input validation and sanitization weaknesses. The presence of the `unserialize` function, even if not directly exploited in the analyzed flows, is a known risk factor for deserialization vulnerabilities if user-supplied data is ever passed to it without stringent validation. The limited number of nonce and capability checks on the numerous AJAX handlers is a critical oversight that amplifies the risk posed by the unprotected entry points.

In conclusion, while the plugin has made strides in secure coding practices like prepared statements and output escaping, the significant number of unprotected AJAX handlers and the historical XSS vulnerability point to areas needing immediate attention. The presence of `unserialize` further adds to the potential risk. The overall security of this plugin heavily relies on the surrounding WordPress environment's security measures to mitigate the risks stemming from its exposed attack surface.

Key Concerns

  • Large attack surface without auth checks
  • Dangerous function: unserialize detected
  • Medium severity vulnerability history
  • Missing nonce checks on AJAX handlers
  • Limited capability checks on entry points
Vulnerabilities
1

Photo Contest | Competition | Video Contest Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2024-13822medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Total Contest Lite <= 2.8.1 - Reflected Cross-Site Scripting

Feb 3, 2025 Patched in 2.9.0 (79d)
Code Analysis
Analyzed Mar 16, 2026

Photo Contest | Competition | Video Contest Code Analysis

Dangerous Functions
4
Raw SQL Queries
0
23 prepared
Unescaped Output
5
787 escaped
Nonce Checks
3
Capability Checks
30
File Operations
13
External Requests
6
Bundled Libraries
0

Dangerous Functions Found

unserialize$this->settings['fields'] = is_string( $this->settings['fields'] ) ? unserialize( base64_decode( $src\Admin\Submission\Editor.php:97
unserialize$this->settings['contents'] = is_string( $this->settings['contents'] ) ? unserialize( base64_decode(src\Admin\Submission\Editor.php:98
unserialize$this->attributes['fields'] = is_string( $this->attributes['fields'] ) ? unserialize( base64_decodsrc\Submission\Model.php:152
unserialize$this->attributes['contents'] = is_string( $this->attributes['contents'] ) ? unserialize( base64_decsrc\Submission\Model.php:153

SQL Query Safety

100% prepared23 total queries

Output Escaping

99% escaped792 total outputs
Attack Surface
28 unprotected

Photo Contest | Competition | Video Contest Attack Surface

Entry Points39
Unprotected28

AJAX Handlers 28

authwp_ajax_totalcontest_npssrc\Admin\Ajax\Bootstrap.php:36
authwp_ajax_totalcontest_onboardingsrc\Admin\Ajax\Bootstrap.php:58
authwp_ajax_totalcontest_dashboard_contests_overviewsrc\Admin\Ajax\Bootstrap.php:81
authwp_ajax_totalcontest_dashboard_blog_feedsrc\Admin\Ajax\Bootstrap.php:89
authwp_ajax_totalcontest_log_listsrc\Admin\Ajax\Bootstrap.php:94
authwp_ajax_totalcontest_log_downloadsrc\Admin\Ajax\Bootstrap.php:98
authwp_ajax_totalcontest_log_exportsrc\Admin\Ajax\Bootstrap.php:102
authwp_ajax_totalcontest_log_export_statussrc\Admin\Ajax\Bootstrap.php:106
authwp_ajax_totalcontest_log_removesrc\Admin\Ajax\Bootstrap.php:110
authwp_ajax_totalcontest_modules_install_from_filesrc\Admin\Ajax\Bootstrap.php:115
authwp_ajax_totalcontest_modules_install_from_storesrc\Admin\Ajax\Bootstrap.php:118
authwp_ajax_totalcontest_modules_listsrc\Admin\Ajax\Bootstrap.php:121
authwp_ajax_totalcontest_modules_updatesrc\Admin\Ajax\Bootstrap.php:124
authwp_ajax_totalcontest_modules_uninstallsrc\Admin\Ajax\Bootstrap.php:127
authwp_ajax_totalcontest_modules_activatesrc\Admin\Ajax\Bootstrap.php:130
authwp_ajax_totalcontest_modules_deactivatesrc\Admin\Ajax\Bootstrap.php:133
authwp_ajax_totalcontest_options_save_optionssrc\Admin\Ajax\Bootstrap.php:138
authwp_ajax_totalcontest_options_purgesrc\Admin\Ajax\Bootstrap.php:141
authwp_ajax_totalcontest_tracking_featuressrc\Admin\Ajax\Bootstrap.php:149
authwp_ajax_totalcontest_tracking_screenssrc\Admin\Ajax\Bootstrap.php:160
authwp_ajax_totalcontest_contests_add_to_sidebarsrc\Admin\Ajax\Bootstrap.php:190
authwp_ajax_totalcontest_contests_get_categoriessrc\Admin\Ajax\Bootstrap.php:197
authwp_ajax_totalcontest_contests_approve_submissionsrc\Admin\Ajax\Bootstrap.php:207
authwp_ajax_totalcontest_templates_get_defaultssrc\Admin\Ajax\Bootstrap.php:219
authwp_ajax_totalcontest_templates_get_previewsrc\Admin\Ajax\Bootstrap.php:226
authwp_ajax_totalcontest_templates_get_settingssrc\Admin\Ajax\Bootstrap.php:233
authwp_ajax_totalcontestsrc\Bootstrap.php:203
noprivwp_ajax_totalcontestsrc\Bootstrap.php:204

Shortcodes 11

[totalcontest] src\Plugin.php:864
[totalcontest-contest-participate] src\Plugin.php:868
[totalcontest-contest-submissions] src\Plugin.php:872
[totalcontest-contest-page] src\Plugin.php:876
[totalcontest-submission] src\Plugin.php:880
[totalcontest-countdown] src\Plugin.php:884
[totalcontest-image] src\Plugin.php:888
[totalcontest-video] src\Plugin.php:892
[totalcontest-audio] src\Plugin.php:896
[totalcontest-text] src\Plugin.php:900
[totalcontest-file] src\Plugin.php:904
WordPress Hooks 92
actionadmin_initsetup.php:81
actionadmin_noticessetup.php:82
actioncurrent_screensrc\Admin\Bootstrap.php:115
actionadmin_menusrc\Admin\Bootstrap.php:116
filteradmin_body_classsrc\Admin\Bootstrap.php:117
actionadmin_action_reset_contestsrc\Admin\Bootstrap.php:118
actionadmin_noticessrc\Admin\Bootstrap.php:119
filteradmin_footer_textsrc\Admin\Bootstrap.php:222
filterupdate_footersrc\Admin\Bootstrap.php:223
filterparent_filesrc\Admin\Bootstrap.php:250
actionadmin_enqueue_scriptssrc\Admin\Contest\Editor.php:80
actionedit_form_after_titlesrc\Admin\Contest\Editor.php:82
actionsubmitpost_boxsrc\Admin\Contest\Editor.php:84
filterwp_insert_post_datasrc\Admin\Contest\Editor.php:86
filtertotalcontest/filters/admin/contest/editor/defaultssrc\Admin\Contest\Editor.php:95
filterredirect_post_locationsrc\Admin\Contest\Editor.php:689
filtermanage_contest_posts_columnssrc\Admin\Contest\Listing.php:36
actionmanage_contest_posts_custom_columnsrc\Admin\Contest\Listing.php:39
filterpost_row_actionssrc\Admin\Contest\Listing.php:42
actionadmin_enqueue_scriptssrc\Admin\Contest\Listing.php:46
filterpre_get_postssrc\Admin\Contest\Listing.php:49
filtertotalcontest/filters/admin/contest/listing/columns-content/votessrc\Admin\Contest\Listing.php:100
filtertotalcontest/filters/admin/contest/listing/columns-content/submissionssrc\Admin\Contest\Listing.php:105
actionpre_current_active_pluginssrc\Admin\Plugins\UninstallFeedback.php:7
actionadmin_initsrc\Admin\Privacy\Policy.php:32
filterwp_privacy_personal_data_exporterssrc\Admin\Privacy\Policy.php:33
filterwp_privacy_personal_data_eraserssrc\Admin\Privacy\Policy.php:34
actionadmin_enqueue_scriptssrc\Admin\Submission\Editor.php:63
actionadmin_enqueue_scriptssrc\Admin\Submission\Editor.php:65
actionedit_form_after_titlesrc\Admin\Submission\Editor.php:67
actionsubmitpost_boxsrc\Admin\Submission\Editor.php:69
filterwp_insert_post_datasrc\Admin\Submission\Editor.php:71
filterparent_filesrc\Admin\Submission\Editor.php:80
filtersubmenu_filesrc\Admin\Submission\Editor.php:81
filterredirect_post_locationsrc\Admin\Submission\Editor.php:302
filterparse_querysrc\Admin\Submission\Listing.php:46
filteradmin_urlsrc\Admin\Submission\Listing.php:47
filterrestrict_manage_postssrc\Admin\Submission\Listing.php:48
filtermanage_contest_submission_posts_columnssrc\Admin\Submission\Listing.php:49
actionmanage_contest_submission_posts_custom_columnsrc\Admin\Submission\Listing.php:50
filtermanage_edit-contest_submission_sortable_columnssrc\Admin\Submission\Listing.php:51
filterparent_filesrc\Admin\Submission\Listing.php:52
filtersubmenu_filesrc\Admin\Submission\Listing.php:53
filterpost_row_actionssrc\Admin\Submission\Listing.php:54
filterdisplay_post_statessrc\Admin\Submission\Listing.php:55
filterpre_get_postssrc\Admin\Submission\Listing.php:56
actionrestrict_manage_postssrc\Admin\Submission\Listing.php:58
actionadmin_enqueue_scriptssrc\Admin\Submission\Listing.php:59
actionadmin_footersrc\Admin\Submission\Listing.php:60
actionmanage_posts_extra_tablenavsrc\Admin\Submission\Listing.php:64
actiontotalcontest/actions/urls/flushsrc\Bootstrap.php:27
actioninitsrc\Bootstrap.php:30
filterquery_varssrc\Bootstrap.php:31
filterrequestsrc\Bootstrap.php:32
actionwpsrc\Bootstrap.php:46
filteroembed_providerssrc\Bootstrap.php:55
filtertotalcontest/commands/contest/submission:createsrc\Bootstrap.php:140
filtertotalcontest/commands/submission/count:votesrc\Bootstrap.php:161
filtertotalcontest/commands/submission/count:viewsrc\Bootstrap.php:165
actionwpsrc\Bootstrap.php:202
filterthe_contentsrc\Bootstrap.php:425
actionwp_headsrc\Bootstrap.php:427
filterwp_title_partssrc\Bootstrap.php:429
filterthe_titlesrc\Bootstrap.php:430
actionembed_contentsrc\Bootstrap.php:434
filterthe_excerpt_embedsrc\Bootstrap.php:436
filterembed_site_title_htmlsrc\Bootstrap.php:437
actiontotalcontest/actions/request/landingsrc\Contest\Controller.php:43
actiontotalcontest/actions/request/submissionssrc\Contest\Controller.php:44
actiontotalcontest/actions/request/get/participatesrc\Contest\Controller.php:45
actiontotalcontest/actions/request/post/participatesrc\Contest\Controller.php:46
actiontotalcontest/actions/request/contentsrc\Contest\Controller.php:47
actiontotalcontest/actions/ajax-requestsrc\Contest\Controller.php:49
actioninitsrc\Contest\PostType.php:19
actiontotalcontest/actions/activatedsrc\Contest\PostType.php:21
filtertotalcontest/filters/render/varssrc\Decorators\StructuredData.php:17
filterposts_wheresrc\Migrations\Contest\TotalContest\Extract.php:70
filterposts_wheresrc\Migrations\Contest\TotalContest\Extract.php:108
filtersafe_style_csssrc\Plugin.php:604
filtergettext_totalcontestsrc\Plugin.php:927
filterngettext_totalcontestsrc\Plugin.php:940
actioninitsrc\Plugin.php:982
actionwp_footersrc\Shortcode\Contest.php:86
actiontotalcontest/actions/request/votesrc\Submission\Controller.php:44
actiontotalcontest/actions/request/viewsrc\Submission\Controller.php:45
actiontotalcontest/actions/request/submissionsrc\Submission\Controller.php:46
actiontotalcontest/actions/ajax-requestsrc\Submission\Controller.php:48
actioninitsrc\Submission\PostType.php:22
filterpost_type_linksrc\Submission\PostType.php:24
filteruser_has_capsrc\Submission\PostType.php:25
actiontotalcontest/actions/activatedsrc\Submission\PostType.php:28
actionbefore_delete_postsrc\Submission\PostType.php:31

Scheduled Events 2

totalcontest/actions/urls/flush
totalcontest/actions/urls/flush
Maintenance & Trust

Photo Contest | Competition | Video Contest Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedSep 5, 2025
PHP min version5.6
Downloads14K

Community Trust

Rating90/100
Number of ratings19
Active installs300
Alternatives

Photo Contest | Competition | Video Contest Alternatives

Voting for a Photo

Voting for a Photo

voting-for-a-photo

A
85

Adding a photo vote to the WordPress Gallery

90 No CVEs
Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

rafflepress

A
88

The best WordPress giveaway plugin. Grow your email list, website traffic, and social media followers with viral contests, giveaways, and sweepstakes.

30K 11 CVEs
Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe

Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe

contest-gallery

B
76

JPG, PNG, MP4, MP3, PDF, ZIP & more. Create voting & uploading galleries for photos & media. Social Share, User Registration & Sell via PayPal/Stripe.

1K 33 CVEs
Woobox

Woobox

woobox

A
98

Easily embed your Woobox promotions in WordPress using a simple shortcode.

1K 2 CVEs
Raffle Play Woocommerce

Raffle Play Woocommerce

raffle-play-woo

A
100

Raffle Play Woo is generating raffle tickets for woocommerce products, based on the number defined by the admin. Adds raffle tickets to your woocommer &hellip;

900 No CVEs
Developer Profile

Photo Contest | Competition | Video Contest Developer Profile

TotalSuite

5 plugins · 2K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
138 days
View full developer profile
Detection Fingerprints

How We Detect Photo Contest | Competition | Video Contest

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/totalcontest-lite/dist/admin/js/chunk-vendors.js/wp-content/plugins/totalcontest-lite/dist/admin/js/chunk-common.js/wp-content/plugins/totalcontest-lite/dist/admin/js/admin-contest-editor.js/wp-content/plugins/totalcontest-lite/dist/admin/css/admin-contest-editor.css
Script Paths
totalcontest-admin-contest-editor
Version Parameters
totalcontest-admin-contest-editor.js?ver=totalcontest-admin-contest-editor.css?ver=

HTML / DOM Fingerprints

CSS Classes
totalcontest-admin-contest-editortc-editor-tabstc-editor-tabtc-editor-tab-activetc-editor-tabs-contenttc-editor-tab-contenttc-editor-headertc-editor-title+22 more
HTML Comments
<!-- Admin Contest Editor --><!-- TotalContest Settings --><!-- TotalContest Defaults --><!-- TotalContest Information -->+5 more
Data Attributes
data-tc-template-iddata-tc-template-defaultsdata-tc-template-settingsdata-tc-template-previewdata-tc-editor-tab-id
JS Globals
TotalContestSettingsTotalContestDefaultsTotalContestInformationTotalContestTemplatesTotalContestLanguagesTotalContestPresets
REST Endpoints
/wp-json/totalcontest/v1/contest/wp-json/totalcontest/v1/contests/wp-json/totalcontest/v1/templates/wp-json/totalcontest/v1/template/wp-json/totalcontest/v1/settings/wp-json/totalcontest/v1/translations
Shortcode Output
[totalcontest][totalcontest id=""][totalcontest slug=""]
FAQ

Frequently Asked Questions about Photo Contest | Competition | Video Contest