CVE-2025-1307
Published: 04 March 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2025-1307 is an arbitrary file upload vulnerability in the Newscrunch theme for WordPress, affecting all versions up to and including 1.8.4.1. The issue arises from a missing capability check in the newscrunch_install_and_activate_plugin() function, which allows unauthorized file uploads to the server's filesystem. Published on 2025-03-04, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-862 (Missing Authorization).
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability to upload arbitrary files to the affected WordPress site. Successful exploitation may lead to remote code execution, depending on the uploaded file type and server configuration.
Advisories and patches are detailed in the provided references, including the vulnerable code in functions.php at line 486 (https://themes.trac.wordpress.org/browser/newscrunch/1.8.3/functions.php#L486), a related changeset in the WordPress theme repository (https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=261789%40newscrunch&new=261789%40newscrunch&sfp_email=&sfph_mail=), and Wordfence threat intelligence (https://www.wordfence.com/threat-intel/vulnerabilities/id/b55567e9-24e6-4738-b7f7-b95b541e6067?source=cve).
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Arbitrary file upload vulnerability in public-facing WordPress theme directly enables T1190 (exploiting public-facing app), T1105 (uploading/transferring malicious files to server), and T1505.003 (installing web shell for RCE/persistence).