Arbitrary File Upload Vulnerability in VikRentCar Plugin for WordPress
CVE-2025-5322

7.2HIGH

Key Information:

Vendor

WordPress
Status
Vikrentcar Car Rental Management System
Vendor
CVE Published:
3 July 2025

What is CVE-2025-5322?

The VikRentCar Car Rental Management System plugin for WordPress has a serious vulnerability that allows authenticated users with Administrator-level access to upload arbitrary files due to inadequate file type validation in the do_updatecar and createcar functions. This flaw exposes the site's server to potential unauthorized file uploads, which can lead to remote code execution, compromising the security and integrity of the affected website.

Affected Version(s)

VikRentCar Car Rental Management System * <= 1.4.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/vikrentcar/tag...
https://plugins.trac.wordpress.org/browser/vikrentcar/tag...

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jonas Benjamin Friedli
JSON
.
CVE-2025-5322 : Arbitrary File Upload Vulnerability in VikRentCar Plugin for WordPress