CVE-2025-1304

Name of the Vulnerable Software and Affected Versions NewsBlogger theme for WordPress versions up to, and including, 0.2.5.1

Description The NewsBlogger theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the newsblogger install and activate plugin() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible.

Recommendations For NewsBlogger theme for WordPress versions up to, and including, 0.2.5.1, consider disabling the newsblogger install and activate plugin() function until a patch is available to prevent arbitrary file uploads. Restrict access to the affected site's server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.