Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dreamstime Dreamstime Stock Photos dreamstime-stock-photos allows Reflected XSS.This issue affects Dreamstime Stock Photos: from n/a through <= 4.1.
Published: 2025-03-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a reflected Cross‑Site Scripting vulnerability that permits a malicious user to inject arbitrary scripts into the page being viewed. When attackers supply crafted characters or code in a request handled by the Dreamstime Stock Photos plugin, the response contains that unsanitized input. The injected script can execute in the victim’s browser, potentially dumping session cookies, hijacking the user’s session, altering the page content or redirecting the user to phishing sites. The weakness is catalogued as CWE‑79 and represents an integrity and confidentiality threat that can be exploited purely through a web request.

Affected Systems

The vulnerability is present in Dreamstime Stock Photos plugin versions up to and including 4.1, inclusive of the initial release. Any WordPress site that has installed the plugin with a version number of 4.1 or earlier is affected. No higher versions are known to be impacted.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate‑to‑high severity level. The EPSS score is listed as <1%, signifying a very low probability that this flaw is actively exploited at present. The vulnerability is not catalogued in the CISA KEV repository, suggesting no known large‑scale exploitation campaigns targeting it. Attackers would need only to send a crafted URL or request containing malicious script fragments to an affected site, making the attack vector remote and straightforward. Given the low exploitation probability, the risk is moderate, but organizations should still remediate promptly to avoid potential future exploitation.

Generated by OpenCVE AI on May 1, 2026 at 14:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Dreamstime Stock Photos plugin to version 4.2 or later to remove the reflected XSS flaw
  • Disable or restrict any plugin functionality that accepts user‑supplied input, and enforce server‑side input validation and output encoding for all reflected data
  • Deploy a web application firewall or enforce a strict Content‑Security‑Policy to detect and block reflected XSS payloads and monitor traffic for anomalous requests

Generated by OpenCVE AI on May 1, 2026 at 14:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5651 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dreamstime Dreamstime Stock Photos dreamstime-stock-photos allows Reflected XSS.This issue affects Dreamstime Stock Photos: from n/a through 4.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dreamstime Dreamstime Stock Photos dreamstime-stock-photos allows Reflected XSS.This issue affects Dreamstime Stock Photos: from n/a through 4.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dreamstime Dreamstime Stock Photos dreamstime-stock-photos allows Reflected XSS.This issue affects Dreamstime Stock Photos: from n/a through <= 4.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 02 Jun 2025 18:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Dreamstime Stock Photos allows Reflected XSS. This issue affects Dreamstime Stock Photos: from n/a through 4.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dreamstime Dreamstime Stock Photos dreamstime-stock-photos allows Reflected XSS.This issue affects Dreamstime Stock Photos: from n/a through 4.1.
Title WordPress Dreamstime Stock Photos plugin <= 4.0 - Reflected Cross Site Scripting (XSS) vulnerability WordPress Dreamstime Stock Photos plugin <= 4.1 - Reflected Cross Site Scripting (XSS) vulnerability

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Dreamstime Stock Photos allows Reflected XSS. This issue affects Dreamstime Stock Photos: from n/a through 4.0.
Title WordPress Dreamstime Stock Photos plugin <= 4.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:35.280Z

Reserved: 2025-02-03T13:34:21.523Z

Link: CVE-2025-25090

cve-icon Vulnrichment

Updated: 2025-03-03T16:00:21.508Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:50.197

Modified: 2026-04-23T15:25:33.497

Link: CVE-2025-25090

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:45:16Z

Weaknesses