CVE-2025-25090

Vulnerability

Overview CVE-2025-25090 is a reflected cross-site scripting (XSS) vulnerability found in the Dreamstime Stock Photos plugin for WordPress, affecting versions 4.1 and earlier. The issue arises from improper neutralization of user-supplied input during web page generation. This type of flaw enables an attacker to inject arbitrary HTML and JavaScript into the application's response, which is then executed in the context of a victim's browser [1].

Exploitation

Prerequisites An attacker can exploit this vulnerability without requiring authentication, though successful exploitation depends on user interaction. The victim must be tricked into clicking a crafted link or visiting a specifically prepared page that triggers the malicious script execution. Because the plugin is widely deployed, this weakness is considered moderately dangerous and is expected to be targeted in mass-exploit campaigns [1].

Impact

If exploited, the attacker can inject scripts that perform actions such as redirecting users to malicious sites, displaying unwanted advertisements, or stealing session cookies. This can lead to further compromise of the affected WordPress site or its visitors [1].

Mitigation

The vendor has released version 4.2, which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, applying a Web Application Firewall (WAF) rule or using a security plugin that provides virtual patching can serve as a temporary workaround [1].