Karl.Fail

Tag: file-upload

  • CVE-2025-1307: Critical Arbitrary File Upload in Newscrunch WordPress Theme

    Overview

    CVE-2025-1307 is a critical vulnerability in the Newscrunch theme for WordPress, affecting all versions up to and including 1.8.4. The issue allows authenticated users with Subscriber-level access or higher to upload arbitrary files to the server, potentially leading to full remote code execution.

    Technical Details

    The vulnerability stems from a missing capability check in the newscrunch_install_and_activate_plugin() function. This function fails to properly verify the permissions of the user invoking it. As a result, even low-privileged users, such as Subscribers, can exploit the flaw to upload malicious files—including PHP scripts—directly to the web server.

    This type of vulnerability is categorized as CWE-862: Missing Authorization. It demonstrates how insufficient access control can elevate minimal user privileges into a full-blown compromise, especially when combined with file upload functionality that lacks validation or execution restrictions.

    CVSS Score

    The issue has been scored as 9.8 (Critical) using CVSS v3.1:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
    • Impact: High (Confidentiality, Integrity, Availability)

    Impacted Versions

    The vulnerability affects all versions of the Newscrunch theme up to and including 1.8.4. This includes default installations where subscriber accounts are enabled.

    Mitigation

    • Update the Newscrunch theme to the latest version that includes a fix for this issue.
    • Restrict user registration or limit file upload capabilities for non-admin roles as a temporary measure.
    • Scan your server for suspicious uploaded files, especially PHP scripts in non-standard directories.

    Conclusion

    This vulnerability is a reminder that themes and plugins must rigorously enforce capability checks, particularly when implementing file upload or plugin management features. Site administrators using Newscrunch should patch immediately and audit any low-privilege accounts for unusual activity.

    Thanks to Chloe Chamberland for identifying and reporting this vulnerability. More details can be found in the Wordfence advisory.