Description
The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2.5.4. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-05-01
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Immediate patch
AI Analysis

Impact

The NewsBlogger WordPress theme is vulnerable to Cross‑Site Request Forgery because the newsblogger_install_and_activate_plugin() function does not correctly validate a security nonce. An attacker who can make a site administrator unknowingly submit a forged request can cause the theme to upload arbitrary files. Once the malicious file is in place the attacker can execute code with full administrative privileges, compromising confidentiality, integrity, and availability of the entire site. This flaw is a classic example of CWE‑352, where missing anti‑CSRF measures allow unauthorized remote actions.

Affected Systems

Spice Themes’ NewsBlogger WordPress theme, versions up to and including 0.2.5.4. The vulnerability applies to any installation of these releases; no specific sub‑components are exempt. Users should verify the exact theme version and whether it resides on a site still using the affected releases.

Risk and Exploitability

The CVSS score of 8.8 places the flaw in the High severity category. The EPSS score of less than 1% indicates a low current exploitation probability, yet the vulnerability remains dangerous because exploitation requires only a forged request and no prior authentication. The flaw is not listed in CISA’s KEV catalog, but that does not reduce the risk for affected installations. In practice, an attacker would target an administrator’s browser, sending a malicious link that triggers the flawed plugin installation routine, thereby gaining remote code execution.

Generated by OpenCVE AI on April 21, 2026 at 21:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the NewsBlogger theme to the latest release that includes a nonce check for the plugin installation routine.
  • If a newer release is unavailable, replace the vulnerable function in functions.php with code that performs proper nonce verification before accepting any file uploads.
  • As an interim measure, lock down administrative access with IP restrictions or two‑factor authentication and disable remote plugin installation until the theme is updated.

Generated by OpenCVE AI on April 21, 2026 at 21:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15124 The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2.5.4. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Tue, 06 May 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Spicethemes
Spicethemes newsblogger
CPEs cpe:2.3:a:spicethemes:newsblogger:*:*:*:*:*:wordpress:*:*
Vendors & Products Spicethemes
Spicethemes newsblogger

Thu, 01 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 01 May 2025 03:45:00 +0000

Type Values Removed Values Added
Description The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2.5.4. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title NewsBlogger <= 0.2.5.4 - Cross-Site Request Forgery to Arbitrary Plugin Installation
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Spicethemes Newsblogger
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:02:27.057Z

Reserved: 2025-02-14T19:00:13.000Z

Link: CVE-2025-1305

cve-icon Vulnrichment

Updated: 2025-05-01T13:22:50.513Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-01T04:16:47.947

Modified: 2025-05-06T15:38:55.647

Link: CVE-2025-1305

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:15:45Z

Weaknesses