CVE-2025-8682
Description
The Newsup theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the newsup_admin_info_install_plugin() function in all versions up to, and including, 5.0.10. This makes it possible for unauthenticated attackers to install the ansar-import plugin.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Newsup theme for WordPress <=5.0.10 missing capability check allows unauthenticated installation of ansar-import plugin.
The Newsup WordPress theme (up to version 5.0.10) contains a missing authorization vulnerability in the newsup_admin_info_install_plugin() function. This function is exposed via an AJAX action install_act_plugin and lacks a proper capability check, allowing unauthorized actions [1].
An attacker can exploit this by sending a request to admin-ajax.php with the action parameter install_act_plugin. The handler does not verify user capabilities (e.g., install_plugins or manage_options) and is callable without a CSRF nonce, enabling unauthenticated attackers or low-privileged users (Subscriber+) to trigger plugin installation and activation flows [1].
Successful exploitation allows an attacker to install the ansar-import plugin or any arbitrary plugin without authorization, potentially introducing malicious code and compromising the site's security [1]. The vulnerability has been publicly disclosed, a proof-of-concept exists, but no active exploits have been reported yet. Users are advised to update the theme to the latest version and ensure proper security measures are in place [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.