Cross-Site Request Forgery Vulnerability in Newscrunch Theme for WordPress
CVE-2025-1306
8.8HIGH
What is CVE-2025-1306?
The Newscrunch theme for WordPress contains a security flaw that allows unauthenticated attackers to exploit vulnerabilities in nonce validation. Specifically, the newscrunch_install_and_activate_plugin() function lacks proper checks, enabling malicious actors to upload arbitrary files by tricking site administrators into performing certain actions, such as clicking on a suspicious link. This vulnerability affects all versions up to and including 1.8.4, creating potential security risks for users running this theme.
Affected Version(s)
Newscrunch * <= 1.8.4