Description
The Newscrunch theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check in the newscrunch_install_and_activate_plugin() function in all versions up to, and including, 1.8.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-03-04
Score: 9.8 Critical
EPSS: 28.4% Moderate
KEV: No
Impact: Remote Code Execution via Arbitrary File Upload
Action: Immediate Patch
AI Analysis

Impact

The Newscrunch theme is vulnerable to arbitrary file uploads because the newscrunch_install_and_activate_plugin() function omits a capability check. An authenticated user with Subscriber-level or higher privileges can leverage the plugin activation process to upload any file to the server. If the uploaded file contains executable code, the function may enable remote code execution, compromising the application and potentially the host OS. This flaw is classified as CWE-862.

Affected Systems

All installations of the Newscrunch WordPress theme developed by spicethemes are affected, specifically versions 1.8.4.1 and earlier.

Risk and Exploitability

The CVSS score of 9.8 categorizes the issue as critical. The EPSS score of 28% indicates a high likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, yet the combination of severe impact and significant exploitation probability makes it a top remediation priority. Attackers only need valid authenticated credentials with at least Subscriber privilege to exploit the flaw via the plugin activation mechanism, and can then upload executable content to the server.

Generated by OpenCVE AI on April 22, 2026 at 02:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Newscrunch theme to a later release than 1.8.4.1, where the missing capability check has been added.
  • If an immediate upgrade is not possible, prevent non‑administrator users from activating plugins or uploading files by adding an extra capability check before calling newscrunch_install_and_activate_plugin().
  • After applying the fix or workaround, ensure that the upload directory is protected from executing uploaded files and add file‑type validation to block executable file extensions.

Generated by OpenCVE AI on April 22, 2026 at 02:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 11 Mar 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 04 Mar 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Newscrunch theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check in the newscrunch_install_and_activate_plugin() function in all versions up to, and including, 1.8.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Newscrunch <= 1.8.4 - Authenticated (Subscriber+) Arbitrary File Upload
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:17:09.343Z

Reserved: 2025-02-14T19:07:01.515Z

Link: CVE-2025-1307

cve-icon Vulnrichment

Updated: 2025-03-04T15:29:09.009Z

cve-icon NVD

Status : Received

Published: 2025-03-04T05:15:14.233

Modified: 2025-03-04T05:15:14.233

Link: CVE-2025-1307

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T02:15:05Z

Weaknesses