CVE-2025-1306
published 2025-03-04CVE-2025-1306: The Newscrunch theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.4. This is due to missing or incorrect…
PriorityP346high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.46%
36.6th percentile
The Newscrunch theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.4. This is due to missing or incorrect nonce validation on the newscrunch_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | >= 3.8.0 < 6.17.2 | 6.17.2 |
| spicethemes | newscrunch | < 1.8.4.1 | 1.8.4.1 |
| spicethemes | newscrunch | <= 1.8.4 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
f2fs: fix to do sanity check on node footer for non inode dnode
osv·2025-10-28
CVE-2025-40025 f2fs: fix to do sanity check on node footer for non inode dnode
f2fs: fix to do sanity check on node footer for non inode dnode
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to do sanity check on node footer for non inode dnode
As syzbot reported below:
------------[ cut here ]------------
kernel BUG at fs/f2fs/file.c:1243!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5354 Comm: syz.0.0 Not tainted 6.17.0-rc1-syzkaller-00211-g90d970cade8e #0 PREEMPT(full)
RIP: 0010:f2fs_truncate_hole+0x69e/0x6c0 fs/f2fs/file.c:1243
Call Trace:
f2fs_punch_hole+0x2db/0x330 fs/f2fs/file.c:1306
f2fs_fallocate+0x546/0x990 fs/f2fs/file.c:2018
vfs_fallocate+0x666/0x7e0 fs/open.c:342
ksys_fallocate fs/open.c:366 [inline]
__do_sys_fallocate fs/open.c:371 [inline]
__se_sys_fallocate fs/open.c:369 [inline]
__x64_sys_fallo
GHSA
GHSA-mfc8-82p4-q9xv: The Newscrunch theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1
ghsa_unreviewed·2025-03-04
CVE-2025-1306 [HIGH] CWE-352 GHSA-mfc8-82p4-q9xv: The Newscrunch theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1
The Newscrunch theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.4. This is due to missing or incorrect nonce validation on the newscrunch_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
No detection rules found.
No public exploits indexed.
https://themes.trac.wordpress.org/browser/newscrunch/1.8.3/functions.php#L486https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=261789%40newscrunch&new=261789%40newscrunch&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/1c507681-61e9-4bf0-8fe5-e2f401a7a8be?source=cve
2025-03-04
Published