Description
The NewsBlogger theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the newsblogger_install_and_activate_plugin() function in all versions up to, and including, 0.2.5.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-05-01
Score: 8.8 High
EPSS: 1.5% Low
KEV: No
Impact: Remote code execution via arbitrary file upload
Action: Apply Patch
AI Analysis

Impact

The NewsBlogger WordPress theme contains a missing capability check in the function that installs and activates the plugin, allowing authenticated users with subscriber-level permission or higher to upload any file type to the server. This flaw enables an attacker to place malicious code on the site, potentially leading to remote code execution, data theft, or site defacement. The vulnerability affects confidentiality, integrity, and availability of the affected WordPress installation by granting the attacker the means to run code with the webserver’s privileges.

Affected Systems

WordPress websites that use the NewsBlogger theme version 0.2.5.1 or earlier are affected. The issue exists in all prior releases up to and including v0.2.5.1. Site administrators should verify the theme version via the WordPress dashboard or theme files.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity attack. An EPSS score of 2% suggests that the probability of exploitation is low but not negligible. The vulnerability is not listed in CISA’s KEV catalog, so no known public exploits are documented. The attack vector requires authentication; an attacker must have at least subscriber-level access. Once authenticated, the attacker can upload arbitrary files that can be executed by the webserver, leading to full remote code execution on the host.

Generated by OpenCVE AI on April 21, 2026 at 21:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the NewsBlogger theme to the latest available release (at least v0.2.5.5) which includes the missing capability check.
  • If an upgrade is not immediately possible, disable the theme’s file upload functionality or remove the plugin‐activation capability by editing the theme files to enforce stricter permission checks.
  • After remediation, scan the site’s files for malicious uploads, monitor for suspicious activity, and apply additional file‑type restrictions or move important uploads outside the web root.

Generated by OpenCVE AI on April 21, 2026 at 21:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15125 The NewsBlogger theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the newsblogger_install_and_activate_plugin() function in all versions up to, and including, 0.2.5.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
History

Tue, 06 May 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Spicethemes
Spicethemes newsblogger
CPEs cpe:2.3:a:spicethemes:newsblogger:*:*:*:*:*:wordpress:*:*
Vendors & Products Spicethemes
Spicethemes newsblogger

Thu, 01 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 01 May 2025 03:45:00 +0000

Type Values Removed Values Added
Description The NewsBlogger theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the newsblogger_install_and_activate_plugin() function in all versions up to, and including, 0.2.5.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title NewsBlogger <= 0.2.5.1 - Authenticated (Subscriber+) Arbitrary File Upload
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Spicethemes Newsblogger
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:04:40.080Z

Reserved: 2025-02-14T18:56:39.424Z

Link: CVE-2025-1304

cve-icon Vulnrichment

Updated: 2025-05-01T13:22:18.801Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-01T04:16:43.183

Modified: 2025-05-06T15:38:17.380

Link: CVE-2025-1304

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:15:45Z

Weaknesses