Platform
wordpress
Component
dream-gallery
Fixed in
1.0.1
CVE-2025-13621 identifies a Cross-Site Request Forgery (CSRF) vulnerability affecting the Dream Gallery plugin for WordPress. This flaw allows unauthenticated attackers to manipulate plugin settings and potentially inject malicious web scripts. The vulnerability impacts versions 1.0.0 through 1.0. A fix is expected in a future plugin release.
The primary impact of CVE-2025-13621 is the potential for attackers to inject malicious scripts into a WordPress site. By crafting a forged request and tricking a site administrator into clicking a malicious link, an attacker can modify the Dream Gallery plugin's settings. This could involve altering configurations to serve harmful content or even injecting persistent cross-site scripting (XSS) payloads. Successful exploitation could lead to account takeover, defacement of the website, or redirection of users to malicious sites. The blast radius extends to all users who interact with the affected WordPress site, particularly administrators.
CVE-2025-13621 was publicly disclosed on 2025-12-05. There are currently no known public proof-of-concept exploits available. The vulnerability's EPSS score is likely to be medium, given the requirement for administrator interaction and the potential for significant impact. It has not been added to the CISA KEV catalog as of this writing.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The immediate mitigation for CVE-2025-13621 is to avoid clicking on suspicious links, especially when logged in as an administrator. Since a fixed version is not yet available, implement strict access controls and regularly review plugin settings for unauthorized changes. Consider using a WordPress security plugin with CSRF protection features. Web Application Firewalls (WAFs) can be configured to filter out potentially malicious requests targeting the 'dreampluginsmain' AJAX action. Monitor WordPress logs for unusual activity related to the Dream Gallery plugin.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13621 is a Cross-Site Request Forgery (CSRF) vulnerability in the Dream Gallery WordPress plugin, allowing attackers to manipulate settings and inject scripts.
You are affected if your WordPress site uses the Dream Gallery plugin in versions 1.0.0–1.0. Upgrade to a patched version when available.
A patch is not yet available. Mitigate by avoiding suspicious links, implementing strict access controls, and using a WAF.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Check the Dream Gallery plugin's official website or WordPress plugin repository for updates and advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.