The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 0.2.5.6 to 0.2.6.1. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This is due to a reverted fix of CVE-2025-1305.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Spicethemes |
|
| Wordpress |
|
No data.
No data.
References
History
Thu, 19 Feb 2026 10:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Spicethemes
Spicethemes newsblogger Wordpress Wordpress wordpress |
|
| Vendors & Products |
Spicethemes
Spicethemes newsblogger Wordpress Wordpress wordpress |
Thu, 19 Feb 2026 04:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 0.2.5.6 to 0.2.6.1. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This is due to a reverted fix of CVE-2025-1305. | |
| Title | NewsBlogger <= 0.2.5.6 - 0.2.6.1 - Cross-Site Request Forgery to Arbitrary Plugin Installation | |
| Weaknesses | CWE-352 | |
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2026-02-19T03:25:16.877Z
Updated: 2026-02-19T03:25:16.877Z
Reserved: 2025-11-06T18:29:47.045Z
Link: CVE-2025-12821
Vulnrichment
No data.
NVD
No data.
Redhat
No data.