Dreamstime Stock Photos CVE-2025-25090
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dreamstime Dreamstime Stock Photos dreamstime-stock-photos allows Reflected XSS.This issue affects Dreamstime Stock Photos: from n/a through 4.1.
AnalysisAI
Reflected cross-site scripting in the Dreamstime Stock Photos WordPress plugin (versions up to 4.1) allows remote attackers to inject malicious JavaScript into user browsers via crafted URLs. The vulnerability requires victim interaction (UI:R) but no authentication (PR:N), enabling session hijacking, credential theft, or malicious redirects when users click attacker-controlled links. EPSS exploitation probability is low at 0.09% (26th percentile), with no confirmed active exploitation or public proof-of-concept at time of analysis. The changed scope (S:C) in the CVSS vector indicates potential impact beyond the vulnerable plugin context, affecting the WordPress installation or user session integrity.
Technical ContextAI
The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation) in a WordPress plugin that integrates Dreamstime stock photo functionality. The plugin fails to properly sanitize user-controllable input before reflecting it in HTTP responses, allowing arbitrary HTML and JavaScript injection. As a WordPress plugin running in the PHP/WordPress environment, the vulnerability likely exists in administrative or front-end pages that process URL parameters, form inputs, or other client-supplied data without proper output encoding or input validation. The network attack vector (AV:N) and low complexity (AC:L) indicate the flaw is easily accessible through standard web requests without special environmental conditions or advanced exploitation techniques.
Affected ProductsAI
WordPress installations running the Dreamstime Stock Photos plugin versions from earliest release through 4.1 are vulnerable. The Patchstack advisory specifically identifies version 4.0 as affected, with the NVD CVE record expanding the range through 4.1. The plugin is available from the WordPress.org plugin repository and integrates Dreamstime's stock photography API into WordPress sites. Vendor advisory and detailed technical analysis available at https://patchstack.com/database/wordpress/plugin/dreamstime-stock-photos/vulnerability/wordpress-dreamstime-stock-photos-plugin-4-0-reflected-cross-site-scripting-xss-vulnerability.
RemediationAI
Upgrade the Dreamstime Stock Photos plugin to version 4.2 or later if available from the WordPress plugin repository or vendor (fixed version not independently confirmed from provided data - verify current plugin version listing at wordpress.org/plugins/dreamstime-stock-photos). As an immediate workaround if patched version is unavailable, deactivate and remove the plugin if stock photo integration is non-essential to site functionality. For sites requiring continued plugin use pending patch availability, implement Web Application Firewall (WAF) rules to block or sanitize suspicious query parameters targeting the plugin's endpoints, though this introduces maintenance overhead and may interfere with legitimate plugin functionality. Educate administrative users to avoid clicking untrusted links while authenticated to WordPress admin panel. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/dreamstime-stock-photos for technical details on affected parameters and exploitation vectors to inform targeted mitigation strategies.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today