Themes Vulnerabilities

Dreamer Blog <= 1.2 - Subscriber+ Arbitrary Plugin Installation

Description

The theme is vulnerable to arbitrary plugin installations due to a missing capability check.

Proof of Concept

Affects Themes

dreamer-blog
No known fix

References

CVE
CVE-2025-10915

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Khaled Alenazi (Nxploited)
Submitter
Khaled Alenazi (Nxploited)
Verified
Yes
WPVDB ID
dab3a804-9027-4b4a-b61c-61b562045bc4

Timeline

Publicly Published
2025-12-23 (about 21 days ago)
Added
2025-12-23 (about 20 days ago)
Last Updated
2025-12-23 (about 20 days ago)

Other

Published
Title
Published
2025-04-01
Title
Cue < 2.4.5 - Missing Authorization
Published
2023-05-23
Title
Go Pricing - WordPress Responsive Pricing Tables < 3.4 - Broken Access Control
Published
2024-08-07
Title
AMP for WP < 1.0.97 - Missing Authorization
Published
2024-06-03
Title
Admin Notices Manager < 1.5.0 - Missing Authorization to Authenticated (Subscriber+) User Email Retrieval
Published
2025-12-01
Title
Get Cash <= 3.2.3 - Missing Authorization