Login Sign Up

CVE-2016-10972

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability in the Newspaper WordPress theme allows attackers to bypass access controls and execute unauthorized actions via the td_ajax_update_panel function. It affects WordPress sites using Newspaper theme versions before 6.7.2. Attackers can potentially take full control of vulnerable websites.

💻 Affected Systems

Products:
  • Newspaper WordPress Theme
Versions: All versions before 6.7.2
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects WordPress installations with the Newspaper theme active. Vulnerability exists in theme code, not core WordPress.

📦 What is this software?

Newspaper by Tagdiv

View all CVEs affecting Newspaper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover, data theft, malware injection, defacement, and server compromise leading to lateral movement within the hosting environment.

🟠

Likely Case

Unauthorized content modification, plugin/theme installation, user account creation, and backdoor persistence on the WordPress site.

🟢

If Mitigated

Limited impact with proper network segmentation, web application firewalls, and strict access controls preventing exploitation attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code available since 2016. Simple HTTP POST requests can trigger the vulnerability without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.7.2 and later

Vendor Advisory: https://themeforest.net/item/newspaper/5489609

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Appearance > Themes. 3. Click on Newspaper theme. 4. Update to version 6.7.2 or later. 5. Clear any caching plugins/CDN caches.

🔧 Temporary Workarounds

Disable Newspaper Theme

all

Temporarily switch to default WordPress theme until patched

wp theme activate twentysixteen

Web Application Firewall Rule

linux

Block requests to vulnerable td_ajax_update_panel endpoint

LocationMatch "\/wp-admin\/admin-ajax\.php" \n Deny from all

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate WordPress instance
  • Deploy web application firewall with rules blocking admin-ajax.php exploitation patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress theme version: Navigate to Appearance > Themes and verify Newspaper theme version is below 6.7.2

Check Version:

wp theme list --field=name,version --status=active

Verify Fix Applied:

Confirm Newspaper theme version is 6.7.2 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

  • POST requests to /wp-admin/admin-ajax.php with action=td_ajax_update_panel
  • Unauthorized theme/plugin installation attempts in WordPress logs
  • Unexpected admin user creation events

Network Indicators:

  • HTTP POST to admin-ajax.php with suspicious parameters
  • Unusual outbound connections from WordPress server post-exploitation

SIEM Query:

source="wordpress.log" AND "td_ajax_update_panel" OR source="web.log" AND "admin-ajax.php" AND "POST" AND status=200

📊 Metadata

CVE ID: CVE-2016-10972
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-269
Published: September 16, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-10972, you might also want to check these:

CVE-2023-48419 10.0

This vulnerability allows an attacker within Wi-Fi range of a Google Home device to spy on the victi...

Same vulnerability type (CWE-269)
CVE-2025-20282 10.0

This critical vulnerability in Cisco ISE and ISE-PIC allows unauthenticated remote attackers to uplo...

Same vulnerability type (CWE-269)
CVE-2022-24783 10.0

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks an...

Same vulnerability type (CWE-269)