CVE-2025-1307
Published: 04 March 2025
Summary
CVE-2025-1307 is a critical-severity Missing Authorization (CWE-862) vulnerability in Spicethemes Newscrunch. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-11 (User-installed Software).
Deeper analysis
The Newscrunch theme for WordPress is vulnerable to arbitrary file uploads in all versions through 1.8.4.1. The flaw stems from a missing capability check in the newscrunch_install_and_activate_plugin() function, which permits unauthenticated or low-privileged requests to place arbitrary files on the server and potentially enable remote code execution. The issue is tracked as CWE-862 and carries a CVSS 3.1 score of 9.8.
Authenticated attackers holding Subscriber or higher privileges on an affected site can invoke the unprotected function to upload malicious files, achieving code execution and full site compromise without further user interaction.
Public references point to the WordPress theme Trac repository showing the vulnerable code at line 486 of functions.php and a subsequent changeset that addresses the missing authorization check; Wordfence also lists the vulnerability in its threat intelligence feed.
EPSS for the CVE rose from lower values after disclosure to a peak of 0.2847 on 2026-04-12 before receding to the current 0.2036, indicating measurable post-publication exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7386
Vulnerability details
The Newscrunch theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check in the newscrunch_install_and_activate_plugin() function in all versions up to, and including, 1.8.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and…
more
above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload vulnerability in public-facing WordPress theme directly enables T1190 (exploiting public-facing app), T1105 (uploading/transferring malicious files to server), and T1505.003 (installing web shell for RCE/persistence).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires identification, reporting, and timely remediation of flaws like the missing capability check in the Newscrunch theme's newscrunch_install_and_activate_plugin function to prevent exploitation.
Prohibits or controls user-installed software by non-privileged users such as Subscribers, directly mitigating unauthorized plugin uploads via the vulnerable function.
Enforces least privilege to restrict Subscriber-level users from possessing capabilities needed for arbitrary file uploads and plugin activation.