{"id":36150,"date":"2025-05-07T18:36:40","date_gmt":"2025-05-07T18:36:40","guid":{"rendered":""},"modified":"2025-05-10T18:20:14","modified_gmt":"2025-05-10T18:20:14","slug":"cve-2025-1304-unauthorized-file-upload-vulnerability-in-newsblogger-wordpress-theme","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2025-1304-unauthorized-file-upload-vulnerability-in-newsblogger-wordpress-theme\/","title":{"rendered":"CVE-2025-1304: Unauthorized File Upload Vulnerability in NewsBlogger WordPress Theme<\/strong>"},"content":{"rendered":"

Overview<\/strong><\/p>\n

In the rapidly evolving digital landscape, cyber threats have become a substantial concern for many organizations. One of the latest vulnerabilities discovered is CVE-2025-1304, which affects the NewsBlogger theme for WordPress, a popular CMS (Content Management System). The vulnerability lies within the newsblogger_install_and_activate_plugin() function, which lacks a necessary capability check, leading to potential unauthorized file<\/a> uploads.
\nThis vulnerability matters because it gives attackers with subscriber-level access the potential to upload arbitrary files<\/a> onto the affected site’s server. In a worst-case scenario, this could result in remote code<\/a> execution, compromising the entire system or leading to substantial data leakage.<\/p>\n

Vulnerability Summary<\/strong><\/p>\n

CVE ID: CVE-2025-1304
\nSeverity: High (8.8)
\nAttack Vector: Network
\nPrivileges Required: Low (Subscriber-level access)
\nUser Interaction: Required
\nImpact: Potential system<\/a> compromise or data leakage<\/p>\n

Affected Products<\/strong><\/p>

\r\n

\r\n \r\n \"Ameeba\r\n <\/a>\r\n A new way to communicate\r\n <\/h2>\r\n\r\n

\r\n Ameeba Chat is built on encrypted identity, not personal profiles.\r\n <\/p>\r\n\r\n

\r\n Message, call, share files, and coordinate with identities kept separate.\r\n <\/p>\r\n\r\n