CVE-2025-1307
Published: 04 March 2025
Summary
CVE-2025-1307 is a critical-severity Missing Authorization (CWE-862) vulnerability in Spicethemes Newscrunch. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-11 (User-installed Software).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires identification, reporting, and timely remediation of flaws like the missing capability check in the Newscrunch theme's newscrunch_install_and_activate_plugin function to prevent exploitation.
Prohibits or controls user-installed software by non-privileged users such as Subscribers, directly mitigating unauthorized plugin uploads via the vulnerable function.
Enforces least privilege to restrict Subscriber-level users from possessing capabilities needed for arbitrary file uploads and plugin activation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload vulnerability in public-facing WordPress theme directly enables T1190 (exploiting public-facing app), T1105 (uploading/transferring malicious files to server), and T1505.003 (installing web shell for RCE/persistence).
NVD Description
The Newscrunch theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check in the newscrunch_install_and_activate_plugin() function in all versions up to, and including, 1.8.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and…
more
above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Deeper analysisAI
CVE-2025-1307 is an arbitrary file upload vulnerability in the Newscrunch theme for WordPress, affecting all versions up to and including 1.8.4.1. The issue arises from a missing capability check in the newscrunch_install_and_activate_plugin() function, which allows unauthorized file uploads to the server's filesystem. Published on 2025-03-04, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-862 (Missing Authorization).
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability to upload arbitrary files to the affected WordPress site. Successful exploitation may lead to remote code execution, depending on the uploaded file type and server configuration.
Advisories and patches are detailed in the provided references, including the vulnerable code in functions.php at line 486 (https://themes.trac.wordpress.org/browser/newscrunch/1.8.3/functions.php#L486), a related changeset in the WordPress theme repository (https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=261789%40newscrunch&new=261789%40newscrunch&sfp_email=&sfph_mail=), and Wordfence threat intelligence (https://www.wordfence.com/threat-intel/vulnerabilities/id/b55567e9-24e6-4738-b7f7-b95b541e6067?source=cve).
Details
- CWE(s)