CVE-2025-1682
Published: 28 February 2025
Description
The Cardealer theme for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.4 due to missing capability check on the 'save_settings' function. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the default user role.
Security Summary
CVE-2025-1682 is a privilege escalation vulnerability in the Cardealer theme for WordPress, affecting versions up to and including 1.6.4. The issue arises from a missing capability check in the 'save_settings' function, classified as CWE-862 (Missing Authorization). It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to its potential for significant confidentiality, integrity, and availability impacts.
Authenticated attackers with subscriber-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction. Exploitation enables them to modify the default user role, allowing privilege escalation on the targeted WordPress site.
Advisories and patch information are available from referenced sources, including the theme's changelog at https://webtemplatemasters.com/cardealer/changelog/#v165 (noting version 1.6.5), Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/4e337281-f05e-486c-9491-161365af252a?source=cve, and the theme page at https://themeforest.net/item/car-dealer-automotive-wordpress-theme-responsive/8574708. Security practitioners should update to a patched version and review access controls for low-privilege users.
Details
- CWE(s)