Vulnerabilities and security researches forbreaking-news-wp breaking-news-wp

Apr 03, 2025

CVE, Research URL: CVE-2025-31750
Home page URL: Security reports for Breaking News WP
Application: Breaking News WP
Date: Apr 01, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in doit Breaking News WP allows Stored XSS. This issue affects Breaking News WP: from n/a through 1.3.
Affected versions: max 1.3.
Status: vulnerable

CVE, Research URL: CVE-2025-31751
Home page URL: Security reports for Breaking News WP
Application: Breaking News WP
Date: Apr 01, 2025
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in doit Breaking News WP allows Cross Site Request Forgery. This issue affects Breaking News WP: from n/a through 1.3.
Affected versions: max 1.3.
Status: vulnerable

Apr 24, 2026

CVE, Research URL: CVE-2026-4280
Home page URL: Security reports for Breaking News WP
Application: Breaking News WP
Date: Apr 22, 2026
Research Description: The Breaking News WP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3. This is due to the brnwp_ajax_form AJAX endpoint lacking both authorization checks and CSRF verification, combined with insufficient path validation when the brnwp_theme option value is passed directly to an include() statement in the brnwp_show_breaking_news_wp() shortcode handler. While sanitize_text_field() is applied to user input, it does not strip directory traversal sequences (../). This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the brnwp_theme option with a directory traversal payload (e.g., ../../../../etc/passwd) and subsequently trigger file inclusion of arbitrary files on the server when the shortcode is rendered.
Affected versions: max 1.3.
Status: vulnerable