Serhii Pasyuk Gmedia Photo Gallery CVE-2025-63014
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in Serhii Pasyuk Gmedia Photo Gallery grand-media allows Cross Site Request Forgery.This issue affects Gmedia Photo Gallery: from n/a through <= 1.25.0.
AnalysisAI
Cross-Site Request Forgery (CSRF) vulnerability in Gmedia Photo Gallery WordPress plugin through version 1.25.0 allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. An unauthenticated remote attacker can craft malicious web pages or emails that, when visited by a logged-in admin or user, execute unwanted operations such as modifying gallery settings, uploading images, or changing plugin configuration. The vulnerability has an extremely low exploitation probability (EPSS 0.02%, 5th percentile) but represents a class of attacks that can bypass user intent entirely when user awareness is low.
Technical ContextAI
CSRF vulnerabilities (CWE-352) occur when web applications fail to implement sufficient anti-CSRF protections, typically the absence of cryptographic tokens (nonces) or same-site cookie attributes that verify requests originate from legitimate user actions within the application. Gmedia Photo Gallery is a WordPress plugin (CPE context: wordpress-gmedia-photo-gallery-plugin) that manages photo galleries and media assets. The plugin processes administrative and user-facing requests without apparently validating request origin or including unique per-session tokens. WordPress provides built-in nonce functions (wp_nonce_field, wp_verify_nonce, wp_create_nonce) that developers should use to protect state-changing operations; their absence or misconfiguration in this plugin creates exploitable CSRF vectors.
Affected ProductsAI
Gmedia Photo Gallery WordPress plugin (by Serhii Pasyuk) is affected in all versions from an unspecified initial release through version 1.25.0. The plugin is hosted on the WordPress.org plugin repository and distributed as a free or freemium product. Users running version 1.25.0 or earlier are vulnerable to CSRF attacks; version 1.25.1 or later (if released) should be reviewed for remediation status per the Patchstack advisory.
RemediationAI
Update Gmedia Photo Gallery to the patched version released after 1.25.0 immediately. Access the WordPress admin dashboard, navigate to Plugins > Installed Plugins, and check for available updates; click Update Now if prompted. If no patched version is yet available from the plugin author, disable the plugin temporarily (Deactivate) until a fix is released and tested. Review the Patchstack vulnerability database entry (https://patchstack.com/database/Wordpress/Plugin/grand-media/vulnerability/wordpress-gmedia-photo-gallery-plugin-1-24-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve) for the exact patched version number and installation instructions. As a temporary mitigation, restrict plugin functionality via role-based access controls (only trusted admins), use a WordPress security plugin with built-in CSRF protection, and educate users to avoid clicking suspicious links while logged into WordPress.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today