Description
The Newsup theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the newsup_admin_info_install_plugin() function in all versions up to, and including, 5.0.10. This makes it possible for unauthenticated attackers to install the ansar-import plugin.
Published: 2025-10-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Plugin Installation
Action: Patch Theme
AI Analysis

Impact

The Newsup theme for WordPress contains a missing capability check on the newsup_admin_info_install_plugin() function (CWE‑862). In all versions up to 5.0.10 an unprivileged user can trigger the installation of the ansar‑import plugin, adding code that the site owner did not authorize and potentially compromising the site’s integrity.

Affected Systems

WordPress installations that employ the themeansar:Newsup theme, version 5.0.10 or earlier, are affected. The flaw resides solely in the theme’s admin code and does not affect other WordPress components.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests low current exploitation likelihood. The vulnerability is not cataloged in the CISA KEV list. Attackers can exercise the flaw remotely and without authentication by sending a request to the theme’s admin endpoint; no additional privileges are required.

Generated by OpenCVE AI on April 22, 2026 at 03:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Newsup theme that includes the missing capability check (versions higher than 5.0.10).
  • If the ansar‑import plugin has already been installed, remove or disable it immediately.
  • Review the WordPress plugin list for any unfamiliar or recently added plugins and delete those that were not authorized.
  • Enable a security plugin or logging mechanism to capture and review plugin‑installation events for early detection of unauthorized activity.

Generated by OpenCVE AI on April 22, 2026 at 03:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 14 Oct 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 11 Oct 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Newsup theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the newsup_admin_info_install_plugin() function in all versions up to, and including, 5.0.10. This makes it possible for unauthenticated attackers to install the ansar-import plugin.
Title Newsup <= 5.0.10 - Missing Authorization to Authenticated (Subscriber+) Plugin Installation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:09:42.289Z

Reserved: 2025-08-06T19:54:30.816Z

Link: CVE-2025-8682

cve-icon Vulnrichment

Updated: 2025-10-14T18:32:01.742Z

cve-icon NVD

Status : Deferred

Published: 2025-10-11T10:15:44.433

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8682

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:00:08Z

Weaknesses