The theme’s custom field for Portfolio Items leaks user‑supplied content without proper sanitization or escaping, allowing an authenticated user with contributor or higher permissions to embed malicious code. When another user views the affected page, the injected script executes in their browser, potentially harvesting session cookies or manipulating the page. This class of vulnerability is commonly referred to as a Stored Cross‑Site Scripting (XSS) flaw and can compromise the confidentiality and integrity of site visitors and users.

WordPress sites that have installed the Automotive Car Dealership Business WordPress Theme version 13.4.1 or earlier. The vulnerable code resides in the theme’s handling of the ‘project_details’ custom field used within Portfolio Items.

The CVSS score of 6.4 classifies this flaw as moderate severity. EPSS information is unavailable, and the vulnerability is not listed in CISA’s KEV catalog, suggesting it is not currently a high‑profile exploit. Attackers must first authenticate to the WordPress installation with contributor‑level or higher access and then add or edit portfolio items to inject code. The exploit path therefore requires legitimate credentials, but once in place, the injected script will run for all users who view the affected page. Given the potential for credential theft or defacement, administrators should treat this as an actionable risk.