CVE-2025-25090
Published: 03 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-25090 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Dreamstime Stock Photos WordPress plugin (dreamstime-stock-photos). This issue affects all versions from n/a through 4.1, as documented in the CVE description published on 2025-03-03.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction needed for exploitation. Attackers can target any site user, such as authenticated administrators, by delivering malicious input via reflected vectors like crafted URLs or parameters. Successful exploitation enables script execution in the victim's browser context, potentially leading to limited impacts on confidentiality (e.g., session token theft), integrity (e.g., page manipulation), and availability, with scope changed to affect the site's resources.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/dreamstime-stock-photos/vulnerability/wordpress-dreamstime-stock-photos-plugin-4-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the Reflected XSS in the Dreamstime Stock Photos plugin, focusing on version 4.0. Security practitioners should review this reference for specific mitigation steps, such as applying available patches or updates beyond version 4.1.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing plugin enables session cookie theft via injected scripts (T1539) and is typically exploited/delivered using spearphishing links with malicious payloads (T1566.002).