Cyber Resilience

CVE-2025-1306

High

Published: 04 March 2025

Published
04 March 2025
Modified
05 March 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0119 79.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1306 is a high-severity CSRF (CWE-352) vulnerability in Spicethemes Newscrunch. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The Newscrunch theme for WordPress is affected by a Cross-Site Request Forgery vulnerability in all versions through 1.8.4. The issue stems from missing or incorrect nonce validation in the newscrunch_install_and_activate_plugin() function, which is tracked under CWE-352 and carries a CVSS 3.1 score of 8.8.

Unauthenticated attackers can exploit the flaw by crafting a request that uploads arbitrary files, provided they can first trick an authenticated administrator into clicking a malicious link or performing another action that triggers the function. Successful exploitation grants the attacker the ability to achieve code execution or full site takeover.

Public references, including WordPress theme repository changesets and the Wordfence threat intelligence entry, point to an available patch that addresses the nonce validation gap; site owners should update the theme to the corrected release. The associated EPSS scores remain low, with a current value of 0.0119 and a peak of 0.0155.

EU & UK References

Vulnerability details

The Newscrunch theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.4. This is due to missing or incorrect nonce validation on the newscrunch_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to…

more

upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

CSRF vuln in public-facing WordPress theme enables exploitation of web app (T1190) and arbitrary file upload (T1105) via malicious link to admin (T1204.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1307Same product: Spicethemes Newscrunch
CVE-2024-11640Shared CWE-352
CVE-2025-25121Shared CWE-352
CVE-2025-24001Shared CWE-352
CVE-2025-25147Shared CWE-352
CVE-2026-34904Shared CWE-352
CVE-2024-26153Shared CWE-352
CVE-2025-28860Shared CWE-352
CVE-2026-45430Shared CWE-352
CVE-2025-23880Shared CWE-352

Affected Assets

spicethemes
newscrunch
≤ 1.8.4.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of inputs such as nonces to block forged CSRF requests targeting the newscrunch_install_and_activate_plugin() function.

prevent

Mandates timely identification, reporting, and correction of flaws like the missing nonce validation in Newscrunch theme versions up to 1.8.4.

prevent

Protects communications session authenticity to mitigate CSRF exploitation via forged requests tricking administrators into arbitrary file uploads.

References