Plattform
wordpress
Komponente
dream-gallery
Behoben in
1.0.1
CVE-2025-13621 identifies a Cross-Site Request Forgery (CSRF) vulnerability affecting the Dream Gallery plugin for WordPress. This flaw allows unauthenticated attackers to manipulate plugin settings and potentially inject malicious web scripts. The vulnerability impacts versions 1.0.0 through 1.0. A fix is expected in a future plugin release.
The primary impact of CVE-2025-13621 is the potential for attackers to inject malicious scripts into a WordPress site. By crafting a forged request and tricking a site administrator into clicking a malicious link, an attacker can modify the Dream Gallery plugin's settings. This could involve altering configurations to serve harmful content or even injecting persistent cross-site scripting (XSS) payloads. Successful exploitation could lead to account takeover, defacement of the website, or redirection of users to malicious sites. The blast radius extends to all users who interact with the affected WordPress site, particularly administrators.
CVE-2025-13621 was publicly disclosed on 2025-12-05. There are currently no known public proof-of-concept exploits available. The vulnerability's EPSS score is likely to be medium, given the requirement for administrator interaction and the potential for significant impact. It has not been added to the CISA KEV catalog as of this writing.
WordPress sites using the Dream Gallery plugin, particularly those with multiple administrators or shared hosting environments, are at increased risk. Sites with weak password policies or inadequate administrator training are also more vulnerable. Legacy WordPress installations with outdated security practices are especially susceptible.
• wordpress / composer / npm:
grep -r 'dreampluginsmain' /var/www/html/wp-content/plugins/dream-gallery/• wordpress / composer / npm:
wp plugin list --status=all | grep dream-gallery• generic web: Check for unusual AJAX requests targeting 'dreampluginsmain' in access logs. • generic web: Inspect response headers for unexpected content or redirects after administrator actions involving the Dream Gallery plugin.
disclosure
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
CVSS-Vektor
The immediate mitigation for CVE-2025-13621 is to avoid clicking on suspicious links, especially when logged in as an administrator. Since a fixed version is not yet available, implement strict access controls and regularly review plugin settings for unauthorized changes. Consider using a WordPress security plugin with CSRF protection features. Web Application Firewalls (WAFs) can be configured to filter out potentially malicious requests targeting the 'dreampluginsmain' AJAX action. Monitor WordPress logs for unusual activity related to the Dream Gallery plugin.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Vulnerability im Detail und setzen Sie Mitigationen basierend auf der Risikobereitschaft Ihrer Organisation ein. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-13621 is a Cross-Site Request Forgery (CSRF) vulnerability in the Dream Gallery WordPress plugin, allowing attackers to manipulate settings and inject scripts.
You are affected if your WordPress site uses the Dream Gallery plugin in versions 1.0.0–1.0. Upgrade to a patched version when available.
A patch is not yet available. Mitigate by avoiding suspicious links, implementing strict access controls, and using a WAF.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Check the Dream Gallery plugin's official website or WordPress plugin repository for updates and advisories.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.