{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13685", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-25T19:52:12.798Z", "datePublished": "2025-12-02T06:40:24.881Z", "dateUpdated": "2026-04-08T16:48:57.104Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:57.104Z"}, "affected": [{"vendor": "ays-pro", "product": "Photo Gallery by Ays \u2013 Responsive Image Gallery", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.4.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Photo Gallery by Ays plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.4.8. This is due to missing nonce verification on the bulk action functionality in the 'process_bulk_action()' function. This makes it possible for unauthenticated attackers to perform bulk operations (delete, publish, or unpublish galleries) via a forged request granted they can trick an administrator into performing an action such as clicking on a link."}], "title": "Photo Gallery by Ays <= 6.4.8 - Cross-Site Request Forgery to Bulk Actions", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/42a14820-710d-4149-9a8d-aa84479f0980?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/gallery-photo-gallery/trunk/includes/lists/class-gallery-photo-gallery-list-table.php#L1060"}, {"url": "https://plugins.trac.wordpress.org/browser/gallery-photo-gallery/tags/6.4.7/includes/lists/class-gallery-photo-gallery-list-table.php#L1060"}, {"url": "https://plugins.trac.wordpress.org/changeset/3404625/gallery-photo-gallery/tags/6.4.9/includes/lists/class-gallery-photo-gallery-list-table.php?old=3402336&old_path=gallery-photo-gallery%2Ftags%2F6.4.8%2Fincludes%2Flists%2Fclass-gallery-photo-gallery-list-table.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Deadbee"}], "timeline": [{"time": "2025-11-25T20:07:26.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-01T18:38:04.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-02T14:15:04.251214Z", "id": "CVE-2025-13685", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-02T14:15:44.121Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13685", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-02T14:15:04.251214Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-02T14:15:24.485Z"}}], "cna": {"title": "Photo Gallery by Ays <= 6.4.8 - Cross-Site Request Forgery to Bulk Actions", "credits": [{"lang": "en", "type": "finder", "value": "Deadbee"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "ays-pro", "product": "Photo Gallery by Ays \u2013 Responsive Image Gallery", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.4.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-25T20:07:26.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-01T18:38:04.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/42a14820-710d-4149-9a8d-aa84479f0980?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/gallery-photo-gallery/trunk/includes/lists/class-gallery-photo-gallery-list-table.php#L1060"}, {"url": "https://plugins.trac.wordpress.org/browser/gallery-photo-gallery/tags/6.4.7/includes/lists/class-gallery-photo-gallery-list-table.php#L1060"}, {"url": "https://plugins.trac.wordpress.org/changeset/3404625/gallery-photo-gallery/tags/6.4.9/includes/lists/class-gallery-photo-gallery-list-table.php?old=3402336&old_path=gallery-photo-gallery%2Ftags%2F6.4.8%2Fincludes%2Flists%2Fclass-gallery-photo-gallery-list-table.php"}], "descriptions": [{"lang": "en", "value": "The Photo Gallery by Ays plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.4.8. This is due to missing nonce verification on the bulk action functionality in the 'process_bulk_action()' function. This makes it possible for unauthenticated attackers to perform bulk operations (delete, publish, or unpublish galleries) via a forged request granted they can trick an administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:57.104Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13685", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:48:57.104Z", "dateReserved": "2025-11-25T19:52:12.798Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-02T06:40:24.881Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Photo Gallery by Ays plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.4.8. This is due to missing nonce verification on the bulk action functionality in the 'process_bulk_action()' function. This makes it possible for unauthenticated attackers to perform bulk operations (delete, publish, or unpublish galleries) via a forged request granted they can trick an administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-13685", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-02T07:15:48.810", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/gallery-photo-gallery/tags/6.4.7/includes/lists/class-gallery-photo-gallery-list-table.php#L1060"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/gallery-photo-gallery/trunk/includes/lists/class-gallery-photo-gallery-list-table.php#L1060"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3404625/gallery-photo-gallery/tags/6.4.9/includes/lists/class-gallery-photo-gallery-list-table.php?old=3402336&old_path=gallery-photo-gallery%2Ftags%2F6.4.8%2Fincludes%2Flists%2Fclass-gallery-photo-gallery-list-table.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/42a14820-710d-4149-9a8d-aa84479f0980?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:53:26.653850+00:00", "value": {"mitigation_remediation": ["Upgrade the Photo Gallery by Ays plugin to version 6.4.9 or later to restore nonce verification on bulk actions.", "If an upgrade is not yet available, disable the bulk action capability for non\u2011trusted roles or remove the bulk action links from the admin interface.", "Deploy or configure a Web Application Firewall to detect and block CSRF requests lacking proper nonces, and monitor administrator activity logs for suspicious bulk operations."], "summary": {"action": "Apply patch", "impact": "Cross\u2011Site Request Forgery allowing unauthenticated attackers to perform bulk operations on galleries (delete, publish, unpublish) if an administrator is tricked into clicking a forged link."}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Photo Gallery by Ays \u2013 Responsive Image Gallery plugin version 6.4.8 or earlier are affected. All plugins versions up to and including 6.4.8 are susceptible; later releases (6.4.9+) contain a fix.", "description_and_impact": "The vulnerability is a Cross\u2011Site Request Forgery resulting from a missing nonce check in the bulk action handler of the Photo Gallery by Ays plugin, allowing an unauthenticated attacker to manipulate an administrator into performing undesired bulk operations on galleries.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate risk, but the EPSS score of less than 1% and the absence from the CISA KEV list suggest a low probability of exploitation. The attack requires an administrator to click a crafted link, so it is not a remote code execution but a privilege\u2011escalation style action that can delete or modify large numbers of galleries if successful."}}}}, "created": "2025-12-04T16:49:04.454523+00:00", "updated": "2026-04-21T18:00:11.730814+00:00", "vendors": ["ays-pro", "ays-pro$PRODUCT$photo_gallery", "wordpress", "wordpress$PRODUCT$wordpress"]}