Summary
| Detail | |||
|---|---|---|---|
| Vendor | Spicethemes | First view | 2025-03-04 |
| Product | Newscrunch | Last view | 2025-03-04 |
| Version | Type | Application | |
| Update | |||
| Edition | |||
| Language | |||
| Sofware Edition | |||
| Target Software | |||
| Target Hardware | |||
| Other | |||
Activity : Overall
COMMON PLATFORM ENUMERATION: Repartition per Version
| CPE Name | Affected CVE |
|---|---|
| cpe:2.3:a:spicethemes:newscrunch:*:*:*:*:*:wordpress:*:* | 2 |
Related : CVE
| Date | Alert | Description | |
|---|---|---|---|
| 9.8 | 2025-03-04 | CVE-2025-1307 | The Newscrunch theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check in the newscrunch_install_and_activate_plugin() function in all versions up to, and including, 1.8.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. |
| 8.8 | 2025-03-04 | CVE-2025-1306 | The Newscrunch theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.4. This is due to missing or incorrect nonce validation on the newscrunch_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
CWE : Common Weakness Enumeration
| % | id | Name |
|---|---|---|
| 100% (1) | CWE-352 | Cross-Site Request Forgery (CSRF) |
