Description
The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Call to Action' custom fields in all versions up to, and including, 13.4. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'action_text', 'action_button_text', 'action_link', and 'action_class' custom fields. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-02-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) via Call to Action fields
Action: Update Theme
AI Analysis

Impact

The theme contains a stored XSS vulnerability in its Call to Action custom fields. Insufficient input sanitization and output escaping allow an attacker with contributor‑level or higher permissions to inject arbitrary JavaScript. The injected script executes for any user who views the affected page, potentially compromising accounts, defacing content, or stealing session cookies.

Affected Systems

All installations of the Automotive Car Dealership Business WordPress Theme up to and including version 13.4 are affected. Only accounts with contributor or higher privileges can exploit the flaw.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium severity risk, while the EPSS score of less than 1 % suggests low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, but it remains a potential threat because the attacker requires only contributor access, a privilege granted to many users. Exploitation would involve a user‑initiated insert of malicious script into the custom fields, which will then be rendered unsafely on page load.

Generated by OpenCVE AI on April 22, 2026 at 15:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the theme to version 13.5 or newer to remove the vulnerable Call to Action fields.
  • If upgrading is not immediately possible, remove or disable the Call to Action custom fields for all user roles, or reduce contributor accounts to read‑only permissions.
  • Deploy a web application firewall rule that blocks or sanitizes scripts injected into the Call to Action fields to mitigate exploitation until a patch is applied.

Generated by OpenCVE AI on April 22, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Themesuite
Themesuite automotive Car Dealership Business Wordpress Theme
Wordpress
Wordpress wordpress
Vendors & Products Themesuite
Themesuite automotive Car Dealership Business Wordpress Theme
Wordpress
Wordpress wordpress

Fri, 27 Feb 2026 07:15:00 +0000

Type Values Removed Values Added
Description The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Call to Action' custom fields in all versions up to, and including, 13.4. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'action_text', 'action_button_text', 'action_link', and 'action_class' custom fields. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Automotive Car Dealership Business WordPress Theme <= 13.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Call to Action Fields
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Themesuite Automotive Car Dealership Business Wordpress Theme
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:35:11.413Z

Reserved: 2025-12-04T15:56:07.226Z

Link: CVE-2025-14040

cve-icon Vulnrichment

Updated: 2026-02-27T18:45:48.690Z

cve-icon NVD

Status : Deferred

Published: 2026-02-27T07:17:09.710

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14040

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:30:20Z

Weaknesses