Privilege Escalation Vulnerability in Cardealer Theme by WordPress
CVE-2025-1682

8.8HIGH

Key Information:

Vendor
WordPress
Status
Car Dealer Automotive WordPress Theme – Responsive
Vendor
CVE Published:
28 February 2025

Summary

The Cardealer theme for WordPress is susceptible to a privilege escalation vulnerability due to a missing capability check in the 'save_settings' function. This issue affects authenticated users with subscriber-level access and above, allowing them to change the default user role. Websites utilizing the affected theme versions up to and including 1.6.4 may face potential unauthorized modifications, emphasizing the need for immediate updates to ensure robust security.

Affected Version(s)

Car Dealer Automotive WordPress Theme – Responsive * <= 1.6.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://themeforest.net/item/car-dealer-automotive-wordpr...
https://webtemplatemasters.com/cardealer/changelog/#v165

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.