Cross-Site Request Forgery in Photo Gallery by Ays for WordPress
CVE-2025-13685

4.3MEDIUM

Key Information:

Vendor

WordPress
Status
Photo Gallery By Ays – Responsive Image Gallery
Vendor
CVE Published:
2 December 2025

What is CVE-2025-13685?

The Photo Gallery by Ays plugin for WordPress has a Cross-Site Request Forgery vulnerability that affects all versions up to and including 6.4.8. This issue stems from the absence of nonce verification within the 'process_bulk_action()' function, enabling unauthenticated attackers to exploit bulk operations, such as deleting or modifying galleries. Attackers can potentially trick administrators into executing these actions through deceptive requests, compromising the integrity of the website.

Affected Version(s)

Photo Gallery by Ays – Responsive Image Gallery * <= 6.4.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/gallery-photo-...
https://plugins.trac.wordpress.org/browser/gallery-photo-...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Deadbee
JSON
.