平台
wordpress
组件
dream-gallery
修复版本
1.0.1
CVE-2025-13621 identifies a Cross-Site Request Forgery (CSRF) vulnerability affecting the Dream Gallery plugin for WordPress. This flaw allows unauthenticated attackers to manipulate plugin settings and potentially inject malicious web scripts. The vulnerability impacts versions 1.0.0 through 1.0. A fix is expected in a future plugin release.
The primary impact of CVE-2025-13621 is the potential for attackers to inject malicious scripts into a WordPress site. By crafting a forged request and tricking a site administrator into clicking a malicious link, an attacker can modify the Dream Gallery plugin's settings. This could involve altering configurations to serve harmful content or even injecting persistent cross-site scripting (XSS) payloads. Successful exploitation could lead to account takeover, defacement of the website, or redirection of users to malicious sites. The blast radius extends to all users who interact with the affected WordPress site, particularly administrators.
CVE-2025-13621 was publicly disclosed on 2025-12-05. There are currently no known public proof-of-concept exploits available. The vulnerability's EPSS score is likely to be medium, given the requirement for administrator interaction and the potential for significant impact. It has not been added to the CISA KEV catalog as of this writing.
WordPress sites using the Dream Gallery plugin, particularly those with multiple administrators or shared hosting environments, are at increased risk. Sites with weak password policies or inadequate administrator training are also more vulnerable. Legacy WordPress installations with outdated security practices are especially susceptible.
• wordpress / composer / npm:
grep -r 'dreampluginsmain' /var/www/html/wp-content/plugins/dream-gallery/• wordpress / composer / npm:
wp plugin list --status=all | grep dream-gallery• generic web: Check for unusual AJAX requests targeting 'dreampluginsmain' in access logs. • generic web: Inspect response headers for unexpected content or redirects after administrator actions involving the Dream Gallery plugin.
disclosure
漏洞利用状态
EPSS
0.02% (4% 百分位)
CISA SSVC
CVSS 向量
The immediate mitigation for CVE-2025-13621 is to avoid clicking on suspicious links, especially when logged in as an administrator. Since a fixed version is not yet available, implement strict access controls and regularly review plugin settings for unauthorized changes. Consider using a WordPress security plugin with CSRF protection features. Web Application Firewalls (WAFs) can be configured to filter out potentially malicious requests targeting the 'dreampluginsmain' AJAX action. Monitor WordPress logs for unusual activity related to the Dream Gallery plugin.
没有已知的补丁可用。请深入审查漏洞的详细信息,并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-13621 is a Cross-Site Request Forgery (CSRF) vulnerability in the Dream Gallery WordPress plugin, allowing attackers to manipulate settings and inject scripts.
You are affected if your WordPress site uses the Dream Gallery plugin in versions 1.0.0–1.0. Upgrade to a patched version when available.
A patch is not yet available. Mitigate by avoiding suspicious links, implementing strict access controls, and using a WAF.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Check the Dream Gallery plugin's official website or WordPress plugin repository for updates and advisories.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。