CVE-2025-25090
Published: 03 March 2025
Summary
CVE-2025-25090 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked in the top 42.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses improper neutralization during web page generation by requiring output filtering and encoding to prevent reflected XSS script execution.
Requires validation of inputs from crafted URLs or parameters to reject or sanitize malicious payloads targeting the WordPress plugin's reflected XSS vulnerability.
Mandates timely flaw remediation, such as patching the Dreamstime Stock Photos plugin beyond version 4.1 to eliminate the specific XSS vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing plugin enables session cookie theft via injected scripts (T1539) and is typically exploited/delivered using spearphishing links with malicious payloads (T1566.002).
NVD Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dreamstime Dreamstime Stock Photos dreamstime-stock-photos allows Reflected XSS.This issue affects Dreamstime Stock Photos: from n/a through <= 4.1.
Deeper analysisAI
CVE-2025-25090 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Dreamstime Stock Photos WordPress plugin (dreamstime-stock-photos). This issue affects all versions from n/a through 4.1, as documented in the CVE description published on 2025-03-03.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction needed for exploitation. Attackers can target any site user, such as authenticated administrators, by delivering malicious input via reflected vectors like crafted URLs or parameters. Successful exploitation enables script execution in the victim's browser context, potentially leading to limited impacts on confidentiality (e.g., session token theft), integrity (e.g., page manipulation), and availability, with scope changed to affect the site's resources.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/dreamstime-stock-photos/vulnerability/wordpress-dreamstime-stock-photos-plugin-4-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the Reflected XSS in the Dreamstime Stock Photos plugin, focusing on version 4.0. Security practitioners should review this reference for specific mitigation steps, such as applying available patches or updates beyond version 4.1.
Details
- CWE(s)