Description
The Newscrunch theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.4. This is due to missing or incorrect nonce validation on the newscrunch_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-03-04
Score: 8.8 High
EPSS: 1.6% Low
KEV: No
Impact: CSRF enabling arbitrary file upload that can lead to code execution
Action: Patch Now
AI Analysis

Impact

The vulnerability resides in the Newscrunch WordPress theme’s install and activate function, which fails to validate or incorrectly validates a nonce. This deficiency allows an unauthenticated actor to forge a request that an administrator will execute by clicking a link or performing a similar action. Once the request is processed, the attacker can upload any file to the theme’s directory, thereby creating a pathway for arbitrary code execution, defacement, or placement of malicious scripts. The weakness reflects a classic CSRF flaw (CWE-352).

Affected Systems

WordPress sites that employ the Newscrunch theme from Spicethemes in version 1.8.4 or earlier are directly affected. Administrators using any older release of the theme, regardless of other plugins or customizations, remain vulnerable until the theme is upgraded to a version that implements proper nonce checks.

Risk and Exploitability

The CVSS score of 8.8 classifies the issue as high severity, yet the EPSS score of 2% suggests that exploitation is currently unlikely on a large scale. Because the attack requires an administrative user to unknowingly submit the forged request, the likelihood of successful exploitation depends on convincing the administrator to click a malicious link. The vulnerability is not listed in the CISA KEV catalog, indicating that no known active exploits have been reported at this time. Nevertheless, given the high impact of an arbitrary file upload, it is advisable to treat this as a risk worth addressing immediately.

Generated by OpenCVE AI on April 22, 2026 at 17:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Newscrunch theme to the latest release (>=1.8.5) which corrects the missing nonce validation.
  • If an upgrade cannot be performed, disable the theme’s upload capability by removing or neutralizing the newscrunch_install_and_activate_plugin() function, or by configuring the server to deny write access to the theme’s upload directory for unauthenticated traffic.
  • Deploy a security or firewall plugin such as Wordfence or Sucuri to block uploads of disallowed file types and verify that the WordPress core and all plugins are kept up to date.

Generated by OpenCVE AI on April 22, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7385 The Newscrunch theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.4. This is due to missing or incorrect nonce validation on the newscrunch_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Tue, 11 Mar 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 04 Mar 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Newscrunch theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.4. This is due to missing or incorrect nonce validation on the newscrunch_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Newscrunch <= 1.8.4 - Cross-Site Request Forgery to Arbitrary File Upload
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:39:42.547Z

Reserved: 2025-02-14T19:04:18.268Z

Link: CVE-2025-1306

cve-icon Vulnrichment

Updated: 2025-03-04T15:25:05.676Z

cve-icon NVD

Status : Received

Published: 2025-03-04T05:15:13.590

Modified: 2025-03-04T05:15:13.590

Link: CVE-2025-1306

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T18:00:05Z

Weaknesses