CVE-2025-1306
Published: 04 March 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-1306, published on 2025-03-04, is a Cross-Site Request Forgery (CSRF) vulnerability classified under CWE-352, affecting the Newscrunch theme for WordPress in all versions up to and including 1.8.4. The flaw arises from missing or incorrect nonce validation in the newscrunch_install_and_activate_plugin() function, enabling unauthenticated attackers to upload arbitrary files through a forged request if they can deceive a site administrator.
Attackers require no privileges (PR:N) and can exploit this over the network (AV:N) with low attack complexity (AC:L), but it depends on user interaction such as an administrator clicking a malicious link (UI:R). Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), yielding a CVSS v3.1 base score of 8.8 in an unchanged scope (S:U), potentially allowing full file upload capabilities on the targeted WordPress site.
Advisories from Wordfence and the WordPress theme trac repository, including functions.php at line 486 and changeset 261789 for the Newscrunch theme, provide details on the vulnerability and associated fixes.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF vuln in public-facing WordPress theme enables exploitation of web app (T1190) and arbitrary file upload (T1105) via malicious link to admin (T1204.001).