Plattform
wordpress
Komponente
grand-media
Behoben in
1.25.1
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Gmedia Photo Gallery WordPress plugin, developed by Serhii Pasyuk. This flaw allows attackers to potentially execute unauthorized actions on a user's behalf if they are logged into a vulnerable WordPress site and visit a malicious link. The vulnerability affects versions from 0.0.0 up to and including 1.25.0, and a patch is available.
The CSRF vulnerability allows an attacker to trick a logged-in user into unknowingly performing actions they didn't intend. For example, an attacker could craft a malicious link that, when clicked, modifies gallery settings, deletes images, or performs other administrative actions. The impact is amplified if the attacker can target users with administrative privileges, potentially leading to complete site compromise. This vulnerability is similar to other CSRF attacks, where the attacker leverages the user's authenticated session to execute malicious requests.
The vulnerability was publicly disclosed on 2025-12-31. There are currently no known public proof-of-concept exploits available. The CVSS score of 4.3 (Medium) indicates a moderate risk. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Gmedia Photo Gallery plugin, particularly those running versions 0.0.0 through 1.25.0, are at risk. Shared hosting environments where plugin updates are managed centrally are also at increased risk due to potential delays in patching.
• wordpress / composer / npm:
grep -r 'gmedia_photo_gallery_settings' wp-content/plugins/gmedia-photo-gallery/• generic web:
curl -I https://example.com/wp-content/plugins/gmedia-photo-gallery/ | grep -i 'csrf-token'disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade the Gmedia Photo Gallery plugin to a version that addresses this vulnerability. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. Additionally, carefully review and restrict user permissions to minimize the potential impact of a successful attack. Implement strict input validation and output encoding practices within the plugin itself to prevent future CSRF vulnerabilities. After upgrade, confirm by reviewing the plugin's changelog and testing core functionality.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-63014 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Gmedia Photo Gallery WordPress plugin, allowing attackers to perform unauthorized actions on a user's behalf.
You are affected if your WordPress site uses the Gmedia Photo Gallery plugin in versions 0.0.0 through 1.25.0. Upgrade immediately to mitigate the risk.
Upgrade the Gmedia Photo Gallery plugin to a patched version. If upgrading is not immediately possible, implement a WAF with CSRF protection rules.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the Gmedia Photo Gallery plugin's official website or WordPress plugin repository for the latest advisory and patch information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.