{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1306", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-14T19:04:18.268Z", "datePublished": "2025-03-04T04:26:08.747Z", "dateUpdated": "2026-04-08T16:39:42.547Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:39:42.547Z"}, "affected": [{"vendor": "spicethemes", "product": "Newscrunch", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.8.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Newscrunch theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.4. This is due to missing or incorrect nonce validation on the newscrunch_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Newscrunch <= 1.8.4 - Cross-Site Request Forgery to Arbitrary File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c507681-61e9-4bf0-8fe5-e2f401a7a8be?source=cve"}, {"url": "https://themes.trac.wordpress.org/browser/newscrunch/1.8.3/functions.php#L486"}, {"url": "https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=261789%40newscrunch&new=261789%40newscrunch&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gibran Abdillah"}], "timeline": [{"time": "2025-03-03T15:46:15.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-04T15:25:03.567935Z", "id": "CVE-2025-1306", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-11T16:09:08.874Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1306", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-04T15:25:03.567935Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-04T15:25:05.676Z"}}], "cna": {"title": "Newscrunch <= 1.8.4 - Cross-Site Request Forgery to Arbitrary File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Gibran Abdillah"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "spicethemes", "product": "Newscrunch", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.8.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-03T15:46:15.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c507681-61e9-4bf0-8fe5-e2f401a7a8be?source=cve"}, {"url": "https://themes.trac.wordpress.org/browser/newscrunch/1.8.3/functions.php#L486"}, {"url": "https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=261789%40newscrunch&new=261789%40newscrunch&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Newscrunch theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.4. This is due to missing or incorrect nonce validation on the newscrunch_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-03-04T04:26:08.747Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1306", "state": "PUBLISHED", "dateUpdated": "2025-03-11T16:09:08.874Z", "dateReserved": "2025-02-14T19:04:18.268Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-04T04:26:08.747Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Newscrunch theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.4. This is due to missing or incorrect nonce validation on the newscrunch_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-1306", "lastModified": "2025-03-04T05:15:13.590", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-03-04T05:15:13.590", "references": [{"source": "security@wordfence.com", "url": "https://themes.trac.wordpress.org/browser/newscrunch/1.8.3/functions.php#L486"}, {"source": "security@wordfence.com", "url": "https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=261789%40newscrunch&new=261789%40newscrunch&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c507681-61e9-4bf0-8fe5-e2f401a7a8be?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:54:17.112364+00:00", "value": {"mitigation_remediation": ["Upgrade the Newscrunch theme to the latest release (>=1.8.5) which corrects the missing nonce validation.", "If an upgrade cannot be performed, disable the theme\u2019s upload capability by removing or neutralizing the newscrunch_install_and_activate_plugin() function, or by configuring the server to deny write access to the theme\u2019s upload directory for unauthenticated traffic.", "Deploy a security or firewall plugin such as Wordfence or Sucuri to block uploads of disallowed file types and verify that the WordPress core and all plugins are kept up to date."], "summary": {"action": "Patch Now", "impact": "CSRF enabling arbitrary file upload that can lead to code execution"}, "threat_synthesis": {"affected_systems": "WordPress sites that employ the Newscrunch theme from Spicethemes in version 1.8.4 or earlier are directly affected. Administrators using any older release of the theme, regardless of other plugins or customizations, remain vulnerable until the theme is upgraded to a version that implements proper nonce checks.", "description_and_impact": "The vulnerability resides in the Newscrunch WordPress theme\u2019s install and activate function, which fails to validate or incorrectly validates a nonce. This deficiency allows an unauthenticated actor to forge a request that an administrator will execute by clicking a link or performing a similar action. Once the request is processed, the attacker can upload any file to the theme\u2019s directory, thereby creating a pathway for arbitrary code execution, defacement, or placement of malicious scripts. The weakness reflects a classic CSRF flaw (CWE-352).", "risk_and_exploitability": "The CVSS score of 8.8 classifies the issue as high severity, yet the EPSS score of 2% suggests that exploitation is currently unlikely on a large scale. Because the attack requires an administrative user to unknowingly submit the forged request, the likelihood of successful exploitation depends on convincing the administrator to click a malicious link. The vulnerability is not listed in the CISA KEV catalog, indicating that no known active exploits have been reported at this time. Nevertheless, given the high impact of an arbitrary file upload, it is advisable to treat this as a risk worth addressing immediately."}}}}, "created": "2026-04-22T18:00:05.479775+00:00", "updated": "2026-04-22T18:00:05.479785+00:00", "vendors": []}