Privilege Escalation Vulnerability in Cardealer Theme by WordPress
CVE-2025-1682

8.8HIGH

Key Information:

Vendor: WordPress
Status: Car Dealer Automotive WordPress Theme – Responsive
Vendor: CVE Published:; 28 February 2025

What is CVE-2025-1682?

The Cardealer theme for WordPress is susceptible to a privilege escalation vulnerability due to a missing capability check in the 'save_settings' function. This issue affects authenticated users with subscriber-level access and above, allowing them to change the default user role. Websites utilizing the affected theme versions up to and including 1.6.4 may face potential unauthorized modifications, emphasizing the need for immediate updates to ensure robust security.

Affected Version(s)

Car Dealer Automotive WordPress Theme – Responsive * <= 1.6.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themeforest.net/item/car-dealer-automotive-wordpr...

https://webtemplatemasters.com/cardealer/changelog/#v165

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 28, 2025