Cross-Site Request Forgery Vulnerability in Newscrunch Theme for WordPress
CVE-2025-1306

8.8HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
4 March 2025

What is CVE-2025-1306?

The Newscrunch theme for WordPress contains a security flaw that allows unauthenticated attackers to exploit vulnerabilities in nonce validation. Specifically, the newscrunch_install_and_activate_plugin() function lacks proper checks, enabling malicious actors to upload arbitrary files by tricking site administrators into performing certain actions, such as clicking on a suspicious link. This vulnerability affects all versions up to and including 1.8.4, creating potential security risks for users running this theme.

Affected Version(s)

Newscrunch * <= 1.8.4

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Gibran Abdillah
.
The Cyber Security Vulnerability Database.