CVE-2025-1681 - Vulnerability Details

- Cardealer <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Change and Delete JS and CSS Files

Description

The Cardealer theme for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check and missing filename sanitization on the demo theme scheme AJAX functions in versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to change or delete arbitrary css and js files.

Published: 2025-02-27

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in the Cardealer WordPress theme allows an authenticated user with subscriber or higher capabilities to modify or delete JavaScript and CSS files through AJAX functions that lack proper capability checks and filename sanitization. This shortfall enables an attacker to alter styles and scripts that affect the visual presentation and client‑side behaviour of the site, potentially rendering pages unusable or enabling the injection of malicious code. The impact is limited to data modification and availability rather than arbitrary code execution, but it undermines the integrity of the theme’s assets.

Affected Systems

WordPress sites that use the ThemeMakers Car Dealer Automotive WordPress Theme – Responsive, versions up to and including 1.6.4, are susceptible.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of active exploitation. The vulnerability is not currently listed in the CISA KEV catalog. Although the attack vector is not explicitly stated, it is inferred that the exploitation occurs via web‑based AJAX endpoints that an authenticated user can reach, so the threat requires legitimate user credentials but no elevated privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ThemeMakers

Car Dealer Automotive WordPress Theme – Responsive

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.6.4

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Cardealer theme to version 1.6.5 or later, where the missing capability checks and filename sanitization have been implemented.
If an immediate upgrade is not possible, remove or restrict the subscriber+ role capability to trigger the vulnerable AJAX functions by adding a custom role‑based access control rule or using a security plugin to block the relevant endpoints.
Validate the integrity of all theme CSS and JavaScript files after the upgrade.
Enable WordPress's DISALLOW_FILE_EDIT setting to prevent future unauthorized file writes.

Generated by OpenCVE AI on April 22, 2026 at 02:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-5487	The Cardealer theme for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check and missing filename sanitization on the demo theme scheme AJAX functions in versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to change or delete arbitrary css and js files.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00082.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://themeforest.net/item/car-dealer-automotive-wordpress-theme-responsive/8574708
https://webtemplatemasters.com/cardealer/changelog/#v165
https://www.wordfence.com/threat-intel/vulnerabilities/id/3e394ee2-13c1-4b04-a8a5-4642f1794d59?source=cve

History

Tue, 04 Mar 2025 03:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 27 Feb 2025 23:30:00 +0000

Type	Values Removed	Values Added
Description		The Cardealer theme for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check and missing filename sanitization on the demo theme scheme AJAX functions in versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to change or delete arbitrary css and js files.
Title		Cardealer <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Change and Delete JS and CSS Files
Weaknesses		CWE-862
References		https://themeforest.net/item/car-dealer-automotive-wordpress-theme-responsive/8574708 https://webtemplatemasters.com/cardealer/changelog/#v165 https://www.wordfence.com/threat-intel/vulnerabilities/id/3e394ee2-13c1-4b04-a8a5-4642f1794d59?source=cve
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-02-27T23:22:38.865Z

Updated: 2026-04-08T16:47:50.849Z

Reserved: 2025-02-25T09:39:21.563Z

Link: CVE-2025-1681

Vulnrichment

Updated: 2025-02-28T14:59:49.066Z

NVD

Status : Deferred

Published: 2025-02-28T00:15:35.950

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-1681

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T02:15:05Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object