{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10915", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2025-09-24T13:43:02.324Z", "datePublished": "2026-01-13T06:00:05.943Z", "dateUpdated": "2026-04-02T12:39:50.919Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:50.919Z"}, "title": "Dreamer Blog <= 1.2 - Subscriber+ Arbitrary Plugin Installation", "problemTypes": [{"descriptions": [{"description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Dreamer Blog", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThanOrEqual": "1.2"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "The Dreamer Blog WordPress theme through 1.2 is vulnerable to arbitrary installations due to a missing capability check."}], "references": [{"url": "https://wpscan.com/vulnerability/dab3a804-9027-4b4a-b61c-61b562045bc4/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Khaled Alenazi (Nxploited)", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-13T14:38:33.439819Z", "id": "CVE-2025-10915", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T14:39:04.188Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-10915", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-13T14:38:33.439819Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T14:38:59.148Z"}}], "cna": {"title": "Dreamer Blog <= 1.2 - Subscriber+ Arbitrary Plugin Installation", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Khaled Alenazi (Nxploited)"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "Dreamer Blog", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2"}], "defaultStatus": "unknown"}], "references": [{"url": "https://wpscan.com/vulnerability/dab3a804-9027-4b4a-b61c-61b562045bc4/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The Dreamer Blog WordPress theme through 1.2 is vulnerable to arbitrary installations due to a missing capability check."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:50.919Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10915", "state": "PUBLISHED", "dateUpdated": "2026-04-02T12:39:50.919Z", "dateReserved": "2025-09-24T13:43:02.324Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-01-13T06:00:05.943Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Dreamer Blog WordPress theme through 1.2 is vulnerable to arbitrary installations due to a missing capability check."}, {"lang": "es", "value": "El tema de WordPress Dreamer Blog hasta la 1.2 es vulnerable a instalaciones arbitrarias debido a una verificaci\u00f3n de capacidad faltante."}], "id": "CVE-2025-10915", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-13T06:15:49.147", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/dab3a804-9027-4b4a-b61c-61b562045bc4/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred"}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T21:40:46.375704+00:00", "value": {"mitigation_remediation": ["Update to the latest version of the Dreamer Blog theme or remove the vulnerable theme to stop the flaw.", "Add the constant DISALLOW_FILE_MODS to wp-config.php or use role\u2011based capability checks to block plugin installations for non\u2011administrator users.", "Use a web\u2011application firewall or a security plugin to block the plugin installation endpoint and scan the site for any malicious plugins that may already be present."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via Arbitrary Plugin Installation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Dreamer Blog theme version 1.2 and earlier. Any WordPress site that has installed this theme is vulnerable. No other products are listed.", "description_and_impact": "The Dreamer Blog WordPress theme through version 1.2 contains a missing capability check that allows an attacker to force the installation of arbitrary plugins. This flaw can be abused to upload and activate malicious code, giving the attacker execution privileges on the affected site. The result is a loss of confidentiality, integrity, and availability of the WordPress installation.", "risk_and_exploitability": "The CVSS base score of 9.8 indicates critical severity. The EPSS score is below 1%, suggesting a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog at this time. The attack vector is inferred to be via the WordPress administration interface, where the missing check allows authenticated users with minimal privileges, or potentially unauthenticated users if the install endpoint is publicly accessible, to trigger the plugin installation flow and inject malicious code. Exploitability requires the ability to send a plugin installation request; once successful, the attacker obtains code execution on the server."}}}}, "created": "2026-01-14T11:09:28.817031+00:00", "updated": "2026-04-27T21:45:14.533748+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"], "weaknesses": ["CWE-284"]}