CVE-2025-1305

Name of the Vulnerable Software and Affected Versions NewsBlogger theme for WordPress versions up to, and including, 0.2.5.4

Description The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the newsblogger install and activate plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Recommendations For NewsBlogger theme for WordPress versions up to, and including, 0.2.5.4, consider disabling the newsblogger install and activate plugin() function until a patch is available to prevent exploitation. Additionally, restrict access to any functionality that relies on this function to minimize the risk of remote code execution.