Plateforme
wordpress
Composant
dream-gallery
Corrigé dans
1.0.1
CVE-2025-13621 identifies a Cross-Site Request Forgery (CSRF) vulnerability affecting the Dream Gallery plugin for WordPress. This flaw allows unauthenticated attackers to manipulate plugin settings and potentially inject malicious web scripts. The vulnerability impacts versions 1.0.0 through 1.0. A fix is expected in a future plugin release.
The primary impact of CVE-2025-13621 is the potential for attackers to inject malicious scripts into a WordPress site. By crafting a forged request and tricking a site administrator into clicking a malicious link, an attacker can modify the Dream Gallery plugin's settings. This could involve altering configurations to serve harmful content or even injecting persistent cross-site scripting (XSS) payloads. Successful exploitation could lead to account takeover, defacement of the website, or redirection of users to malicious sites. The blast radius extends to all users who interact with the affected WordPress site, particularly administrators.
CVE-2025-13621 was publicly disclosed on 2025-12-05. There are currently no known public proof-of-concept exploits available. The vulnerability's EPSS score is likely to be medium, given the requirement for administrator interaction and the potential for significant impact. It has not been added to the CISA KEV catalog as of this writing.
WordPress sites using the Dream Gallery plugin, particularly those with multiple administrators or shared hosting environments, are at increased risk. Sites with weak password policies or inadequate administrator training are also more vulnerable. Legacy WordPress installations with outdated security practices are especially susceptible.
• wordpress / composer / npm:
grep -r 'dreampluginsmain' /var/www/html/wp-content/plugins/dream-gallery/• wordpress / composer / npm:
wp plugin list --status=all | grep dream-gallery• generic web: Check for unusual AJAX requests targeting 'dreampluginsmain' in access logs. • generic web: Inspect response headers for unexpected content or redirects after administrator actions involving the Dream Gallery plugin.
disclosure
Statut de l'Exploit
EPSS
0.02% (percentile 4%)
CISA SSVC
Vecteur CVSS
The immediate mitigation for CVE-2025-13621 is to avoid clicking on suspicious links, especially when logged in as an administrator. Since a fixed version is not yet available, implement strict access controls and regularly review plugin settings for unauthorized changes. Consider using a WordPress security plugin with CSRF protection features. Web Application Firewalls (WAFs) can be configured to filter out potentially malicious requests targeting the 'dreampluginsmain' AJAX action. Monitor WordPress logs for unusual activity related to the Dream Gallery plugin.
Aucun correctif connu n'est disponible. Veuillez examiner en profondeur les détails de la vulnérabilité et mettre en œuvre des mesures d'atténuation en fonction de la tolérance au risque de votre organisation. Il peut être préférable de désinstaller le logiciel affecté et de trouver un remplacement.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-13621 is a Cross-Site Request Forgery (CSRF) vulnerability in the Dream Gallery WordPress plugin, allowing attackers to manipulate settings and inject scripts.
You are affected if your WordPress site uses the Dream Gallery plugin in versions 1.0.0–1.0. Upgrade to a patched version when available.
A patch is not yet available. Mitigate by avoiding suspicious links, implementing strict access controls, and using a WAF.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Check the Dream Gallery plugin's official website or WordPress plugin repository for updates and advisories.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.