Newscrunch < 1.8.4.1 – Cross-Site Request Forgery to Arbitrary File Upload | CVE 2025-1306 | Theme Vulnerabilities

Description

The Newscrunch theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.4. This is due to missing or incorrect nonce validation on the newscrunch_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Themes

Fixed in 1.8.4.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1c507681-61e9-4bf0-8fe5-e2f401a7a8be

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Gibran Abdillah

Verified

No

WPVDB ID

b27a251e-c883-43df-8949-df876b1250af

Timeline

Publicly Published

2025-03-03 (about 1 year ago)

Added

2025-03-03 (about 1 year ago)

Last Updated

2025-03-04 (about 1 year ago)

Other

Published

Title

Published

2025-04-02

Title

Web Directory Free < 1.7.8 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2022-09-29

Title

LBStopAttack < 1.1.3 - Arbitrary Settings Update via CSRF

Published

2025-04-01

Title

TZ PlusGallery <= 1.5.5 - Cross-Site Request Forgery

Published

2025-09-21

Title

Advanced Custom Fields : CPT Options Pages <= 2.0.9 - Cross-Site Request Forgery

Published

2025-03-19

Title

Custom Twitter Feeds < 2.3.0 - Cross-Site Request Forgery to Cache Reset via ctf_clear_cache_admin Function