CVE-2025-8682
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-11

Last updated on: 2025-10-14

Assigner: Wordfence

Description
The Newsup theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the newsup_admin_info_install_plugin() function in all versions up to, and including, 5.0.10. This makes it possible for unauthenticated attackers to install the ansar-import plugin.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-11
Last Modified
2025-10-14
Generated
2026-06-16
AI Q&A
2025-10-11
EPSS Evaluated
2026-06-14
NVD
CVE-2025-8682
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
wordpresstheme ansar-import *
wordpresstheme newsup 5.0.10
wordpresstheme newsup 5.0.11
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the Newsup WordPress theme allows unauthenticated attackers to install a plugin called ansar-import without proper authorization. This happens because the function newsup_admin_info_install_plugin() lacks a capability check, meaning it does not verify if the user has permission to install plugins. As a result, attackers can exploit this to install plugins via AJAX requests without being logged in or authorized. [2]

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to install potentially malicious plugins on your WordPress site using the Newsup theme. Such unauthorized plugin installations can lead to further compromise of your site, including data breaches, site defacement, or other malicious activities. It undermines the security of your WordPress installation by bypassing normal permission checks. [2]

Detection Guidance

You can detect this vulnerability by checking if your WordPress installation is using the Newsup theme version 5.0.10 or earlier, which lacks proper capability checks for plugin installation. On the system, verify if the function newsup_admin_info_install_plugin() is present without user capability and nonce verification. Additionally, monitor for unauthorized AJAX requests to admin-ajax.php with the action install_act_plugin that do not include a valid nonce or come from unauthenticated users. Commands to check the theme version include: `wp theme list --status=active` to identify the active theme and its version, and inspecting the theme files for the presence or absence of nonce verification and capability checks in newsup-admin-plugin-install.php. Network monitoring tools can be used to detect suspicious POST requests to admin-ajax.php with action=install_act_plugin. [2]

Mitigation Strategies

The immediate mitigation step is to update the Newsup WordPress theme to version 5.0.11 or later, which includes security fixes such as nonce verification and user capability checks to prevent unauthorized plugin installations. If updating is not immediately possible, restrict access to the WordPress admin AJAX endpoint (admin-ajax.php) to authenticated and authorized users only, and consider disabling plugin installation capabilities for users who do not require them. Additionally, monitor and block suspicious AJAX requests attempting to install plugins without proper authorization. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-8682. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart