CVE-2025-12821

NewsBlogger <= 0.2.5.6 - 0.2.6.1 - Cross-Site Request Forgery to Arbitrary Plugin Installation

Assigner: Wordfence
Reserved: 06.11.2025 Published: 19.02.2026 Updated: 19.02.2026

The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 0.2.5.6 to 0.2.6.1. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This is due to a reverted fix of CVE-2025-1305.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS Score: 8.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	spicethemes
Product	NewsBlogger
Versions	Default: unaffected affected from 0.2.5.6 to 0.2.6.1 (incl.)

Vendor

spicethemes

Product

NewsBlogger

Versions

Default: unaffected

affected from 0.2.5.6 to 0.2.6.1 (incl.)

Credits

lucky_buddy finder

References

Problem Types