CVE-2025-1304 HIGH

CVE-2025-1304: NewsBlogger <= 0.2.5.1 - Authenticated (Subscriber+) Arbitrary File Upload

Vendor Spicethemes

Product NewsBlogger

Weakness CWE-862 · Missing authorization

Published May 1, 2025

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The NewsBlogger theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the newsblogger_install_and_activate_plugin() function in all versions up to, and including, 0.2.5.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Key dates

02Disclosure timeline

May 1, 2025 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-1304 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2026-32390 WordPress Nanosoft theme < 1.3.2 - Broken Access Control vulnerability CVE-2026-25393 WordPress Hello FSE theme <= 1.0.6 - Broken Access Control vulnerability CVE-2025-4597 Woo Slider Pro - Drag Drop Slider Builder For WooCommerce <= 1.12 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion CVE-2025-12845 Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent 0.5.4 - 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Information Exposure and Privilege Escalation CVE-2023-5411 Funnelforms Free <= 3.4 - Missing Authorization to Post Modification