Description
The Dreamer Blog WordPress theme through 1.2 is vulnerable to arbitrary installations due to a missing capability check.
Published: 2026-01-13
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Arbitrary Plugin Installation
Action: Immediate Patch
AI Analysis

Impact

The Dreamer Blog WordPress theme through version 1.2 contains a missing capability check that allows an attacker to force the installation of arbitrary plugins. This flaw can be abused to upload and activate malicious code, giving the attacker execution privileges on the affected site. The result is a loss of confidentiality, integrity, and availability of the WordPress installation.

Affected Systems

The vulnerability affects the Dreamer Blog theme version 1.2 and earlier. Any WordPress site that has installed this theme is vulnerable. No other products are listed.

Risk and Exploitability

The CVSS base score of 9.8 indicates critical severity. The EPSS score is below 1%, suggesting a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog at this time. The attack vector is inferred to be via the WordPress administration interface, where the missing check allows authenticated users with minimal privileges, or potentially unauthenticated users if the install endpoint is publicly accessible, to trigger the plugin installation flow and inject malicious code. Exploitability requires the ability to send a plugin installation request; once successful, the attacker obtains code execution on the server.

Generated by OpenCVE AI on April 27, 2026 at 21:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest version of the Dreamer Blog theme or remove the vulnerable theme to stop the flaw.
  • Add the constant DISALLOW_FILE_MODS to wp-config.php or use role‑based capability checks to block plugin installations for non‑administrator users.
  • Use a web‑application firewall or a security plugin to block the plugin installation endpoint and scan the site for any malicious plugins that may already be present.

Generated by OpenCVE AI on April 27, 2026 at 21:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 13 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Dreamer Blog WordPress theme through 1.2 is vulnerable to arbitrary installations due to a missing capability check.
Title Dreamer Blog <= 1.2 - Subscriber+ Arbitrary Plugin Installation
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-02T12:39:50.919Z

Reserved: 2025-09-24T13:43:02.324Z

Link: CVE-2025-10915

cve-icon Vulnrichment

Updated: 2026-01-13T14:38:59.148Z

cve-icon NVD

Status : Deferred

Published: 2026-01-13T06:15:49.147

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10915

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T21:45:14Z

Weaknesses