CVE-2025-1304
The NewsBlogger theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the newsblogger_install_and_activate_plugin() function in all versions up to, and including, 0.2.5.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
| Software | From | Fixed in |
|---|---|---|
| spicethemes / newsblogger | - | 0.2.5.2 |
- https://themes.trac.wordpress.org/browser/newsblogger/0.2.5.5/functions.php?annotate=blame&rev=269615#file2
- https://themes.trac.wordpress.org/browser/newsblogger/0.2/functions.php#L440
- https://themes.trac.wordpress.org/browser/newsblogger/0.2/functions.php#L461
- https://themes.trac.wordpress.org/browser/newsblogger/0.2/functions.php#L470
- https://www.wordfence.com/threat-intel/vulnerabilities/id/85cea6b5-d57b-495e-a504-a0c1ba691637?source=cve
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime