CVE-2025-63014
Lifecycle Timeline
2Description
Cross-Site Request Forgery (CSRF) vulnerability in Serhii Pasyuk Gmedia Photo Gallery grand-media allows Cross Site Request Forgery.This issue affects Gmedia Photo Gallery: from n/a through <= 1.25.0.
Analysis
Cross-Site Request Forgery (CSRF) vulnerability in Gmedia Photo Gallery WordPress plugin through version 1.25.0 allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. An unauthenticated remote attacker can craft malicious web pages or emails that, when visited by a logged-in admin or user, execute unwanted operations such as modifying gallery settings, uploading images, or changing plugin configuration. The vulnerability has an extremely low exploitation probability (EPSS 0.02%, 5th percentile) but represents a class of attacks that can bypass user intent entirely when user awareness is low.
Technical Context
CSRF vulnerabilities (CWE-352) occur when web applications fail to implement sufficient anti-CSRF protections, typically the absence of cryptographic tokens (nonces) or same-site cookie attributes that verify requests originate from legitimate user actions within the application. Gmedia Photo Gallery is a WordPress plugin (CPE context: wordpress-gmedia-photo-gallery-plugin) that manages photo galleries and media assets. The plugin processes administrative and user-facing requests without apparently validating request origin or including unique per-session tokens. WordPress provides built-in nonce functions (wp_nonce_field, wp_verify_nonce, wp_create_nonce) that developers should use to protect state-changing operations; their absence or misconfiguration in this plugin creates exploitable CSRF vectors.
Affected Products
Gmedia Photo Gallery WordPress plugin (by Serhii Pasyuk) is affected in all versions from an unspecified initial release through version 1.25.0. The plugin is hosted on the WordPress.org plugin repository and distributed as a free or freemium product. Users running version 1.25.0 or earlier are vulnerable to CSRF attacks; version 1.25.1 or later (if released) should be reviewed for remediation status per the Patchstack advisory.
Remediation
Update Gmedia Photo Gallery to the patched version released after 1.25.0 immediately. Access the WordPress admin dashboard, navigate to Plugins > Installed Plugins, and check for available updates; click Update Now if prompted. If no patched version is yet available from the plugin author, disable the plugin temporarily (Deactivate) until a fix is released and tested. Review the Patchstack vulnerability database entry (https://patchstack.com/database/Wordpress/Plugin/grand-media/vulnerability/wordpress-gmedia-photo-gallery-plugin-1-24-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve) for the exact patched version number and installation instructions. As a temporary mitigation, restrict plugin functionality via role-based access controls (only trusted admins), use a WordPress security plugin with built-in CSRF protection, and educate users to avoid clicking suspicious links while logged into WordPress.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today