CVE-2025-1306
Published: 04 March 2025
Summary
CVE-2025-1306 is a high-severity CSRF (CWE-352) vulnerability in Spicethemes Newscrunch. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The Newscrunch theme for WordPress is affected by a Cross-Site Request Forgery vulnerability in all versions through 1.8.4. The issue stems from missing or incorrect nonce validation in the newscrunch_install_and_activate_plugin() function, which is tracked under CWE-352 and carries a CVSS 3.1 score of 8.8.
Unauthenticated attackers can exploit the flaw by crafting a request that uploads arbitrary files, provided they can first trick an authenticated administrator into clicking a malicious link or performing another action that triggers the function. Successful exploitation grants the attacker the ability to achieve code execution or full site takeover.
Public references, including WordPress theme repository changesets and the Wordfence threat intelligence entry, point to an available patch that addresses the nonce validation gap; site owners should update the theme to the corrected release. The associated EPSS scores remain low, with a current value of 0.0119 and a peak of 0.0155.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7385
Vulnerability details
The Newscrunch theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.4. This is due to missing or incorrect nonce validation on the newscrunch_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to…
more
upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vuln in public-facing WordPress theme enables exploitation of web app (T1190) and arbitrary file upload (T1105) via malicious link to admin (T1204.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of inputs such as nonces to block forged CSRF requests targeting the newscrunch_install_and_activate_plugin() function.
Mandates timely identification, reporting, and correction of flaws like the missing nonce validation in Newscrunch theme versions up to 1.8.4.
Protects communications session authenticity to mitigate CSRF exploitation via forged requests tricking administrators into arbitrary file uploads.