CVE-2025-13621 is a medium-severity Cross-Site Request Forgery (CSRF) vulnerability identified in the 'dream gallery' WordPress plugin developed by teamdream. This vulnerability affects all versions up to and including 1.0. The root cause is the absence or incorrect implementation of nonce validation on the AJAX action 'dreampluginsmain', which is intended to protect against unauthorized requests. Nonces in WordPress serve as tokens to verify that a request originates from a legitimate source; their absence allows attackers to craft malicious requests that appear legitimate. An unauthenticated attacker can exploit this by tricking an authenticated site administrator into clicking a specially crafted link or visiting a malicious webpage. Upon successful exploitation, the attacker can modify plugin settings and inject malicious web scripts, potentially leading to persistent cross-site scripting (XSS) attacks or other malicious behaviors. The vulnerability impacts confidentiality and integrity but does not affect availability. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved on 2025-11-24 and published on 2025-12-05 by Wordfence.

The primary impact of this vulnerability is the unauthorized modification of plugin settings and injection of malicious scripts, which can lead to compromised site integrity and potential exploitation of site visitors through malicious payloads. Organizations running WordPress sites with the dream gallery plugin are at risk of having their administrative settings altered without consent, which could facilitate further attacks such as persistent XSS or redirecting users to malicious sites. This can damage organizational reputation, lead to data leakage, and potentially result in regulatory compliance issues if user data is compromised. Since the attack requires tricking an administrator into clicking a link, social engineering is a key factor, increasing the risk in environments where administrators may be targeted via phishing. The vulnerability does not impact system availability directly but can degrade trust and security posture significantly.

To mitigate this vulnerability, organizations should immediately verify if they are using the dream gallery plugin and its version. Since no official patch is currently linked, administrators should consider temporarily disabling or uninstalling the plugin until a secure update is released. Implementing Web Application Firewall (WAF) rules to detect and block suspicious AJAX requests to the 'dreampluginsmain' action can help reduce risk. Educate site administrators about the risks of clicking unknown or suspicious links, especially those that could trigger administrative actions. Monitoring administrative actions and plugin settings for unauthorized changes can provide early detection of exploitation attempts. Additionally, site owners should ensure that WordPress core and all plugins are kept up to date and subscribe to security advisories from the plugin vendor or trusted security sources for timely patch releases.