Skip to main content

Dreamstime Stock Photos CVE-2025-25090

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:31 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dreamstime Dreamstime Stock Photos dreamstime-stock-photos allows Reflected XSS.This issue affects Dreamstime Stock Photos: from n/a through 4.1.

AnalysisAI

Reflected cross-site scripting in the Dreamstime Stock Photos WordPress plugin (versions up to 4.1) allows remote attackers to inject malicious JavaScript into user browsers via crafted URLs. The vulnerability requires victim interaction (UI:R) but no authentication (PR:N), enabling session hijacking, credential theft, or malicious redirects when users click attacker-controlled links. EPSS exploitation probability is low at 0.09% (26th percentile), with no confirmed active exploitation or public proof-of-concept at time of analysis. The changed scope (S:C) in the CVSS vector indicates potential impact beyond the vulnerable plugin context, affecting the WordPress installation or user session integrity.

Technical ContextAI

The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation) in a WordPress plugin that integrates Dreamstime stock photo functionality. The plugin fails to properly sanitize user-controllable input before reflecting it in HTTP responses, allowing arbitrary HTML and JavaScript injection. As a WordPress plugin running in the PHP/WordPress environment, the vulnerability likely exists in administrative or front-end pages that process URL parameters, form inputs, or other client-supplied data without proper output encoding or input validation. The network attack vector (AV:N) and low complexity (AC:L) indicate the flaw is easily accessible through standard web requests without special environmental conditions or advanced exploitation techniques.

Affected ProductsAI

WordPress installations running the Dreamstime Stock Photos plugin versions from earliest release through 4.1 are vulnerable. The Patchstack advisory specifically identifies version 4.0 as affected, with the NVD CVE record expanding the range through 4.1. The plugin is available from the WordPress.org plugin repository and integrates Dreamstime's stock photography API into WordPress sites. Vendor advisory and detailed technical analysis available at https://patchstack.com/database/wordpress/plugin/dreamstime-stock-photos/vulnerability/wordpress-dreamstime-stock-photos-plugin-4-0-reflected-cross-site-scripting-xss-vulnerability.

RemediationAI

Upgrade the Dreamstime Stock Photos plugin to version 4.2 or later if available from the WordPress plugin repository or vendor (fixed version not independently confirmed from provided data - verify current plugin version listing at wordpress.org/plugins/dreamstime-stock-photos). As an immediate workaround if patched version is unavailable, deactivate and remove the plugin if stock photo integration is non-essential to site functionality. For sites requiring continued plugin use pending patch availability, implement Web Application Firewall (WAF) rules to block or sanitize suspicious query parameters targeting the plugin's endpoints, though this introduces maintenance overhead and may interfere with legitimate plugin functionality. Educate administrative users to avoid clicking untrusted links while authenticated to WordPress admin panel. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/dreamstime-stock-photos for technical details on affected parameters and exploitation vectors to inform targeted mitigation strategies.

Share

CVE-2025-25090 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy