PT-2026-20586 · WordPress · Newsblogger
Lucky_Buddy
·
Published
2026-02-19
·
Updated
2026-02-23
·
CVE-2025-12821
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
NewsBlogger versions 0.2.5.6 through 0.2.6.1
Description
The NewsBlogger WordPress theme is susceptible to Cross-Site Request Forgery due to inadequate nonce validation within the
newsblogger install and activate plugin() function. This allows unauthenticated attackers to potentially upload arbitrary files and achieve remote code execution by deceiving a site administrator into performing an action, such as clicking a malicious link. This issue represents a regression of a previous fix.Recommendations
NewsBlogger version 0.2.5.6: Update to a newer version.
NewsBlogger version 0.2.5.7: Update to a newer version.
NewsBlogger version 0.2.5.8: Update to a newer version.
NewsBlogger version 0.2.5.9: Update to a newer version.
NewsBlogger version 0.2.6.0: Update to a newer version.
NewsBlogger version 0.2.6.1: Update to a newer version.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Newsblogger