CVE-2025-1687
Published: 28 February 2025
Description
The Cardealer theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.4. This is due to missing nonce validation on the 'update_user_profile' function. This makes it possible for unauthenticated attackers to update the user email and password via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
Security Summary
CVE-2025-1687, published on 2025-02-28, is a Cross-Site Request Forgery (CSRF) vulnerability (CWE-352) in the Cardealer theme for WordPress, affecting versions up to and including 1.6.4. The flaw arises from missing nonce validation in the 'update_user_profile' function, which enables forged requests to alter user profiles. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H), indicating high severity due to network accessibility, low complexity, no privileges required, and significant impacts on confidentiality, integrity, and availability.
Unauthenticated attackers can exploit this vulnerability by tricking a site administrator into performing an action, such as clicking a malicious link. Successful exploitation allows the attacker to update the administrator's email address and password via the forged request, potentially leading to account takeover.
Advisories recommend updating the Cardealer theme to version 1.6.5 or later, where the issue is addressed, as detailed in the theme's changelog. Further intelligence is available from Wordfence's threat intel page and the theme's listing on ThemeForest.
Details
- CWE(s)