CVE-2025-1687 - Vulnerability Details

- Cardealer <= 1.6.4 - Cross-Site Request Forgery to User Update via update_user_profile

Description

The Cardealer theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.4. This is due to missing nonce validation on the 'update_user_profile' function. This makes it possible for unauthenticated attackers to update the user email and password via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

Published: 2025-02-27

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Cardealer WordPress theme is vulnerable to a cross‑site request forgery (CSRF) condition caused by missing nonce validation in the update_user_profile function. Because authentication is not properly checked, a malicious actor can craft a link that, when clicked by a website administrator, will silently change the administrator's email address and password. This leads to loss of control over the admin account or lockout of the legitimate user, allowing the attacker to gain unauthorized access to the WordPress site.

Affected Systems

The vulnerability affects ThemeMakers' Car Dealer Automotive WordPress Theme – Responsive in all releases through version 1.6.4. Anyone currently using versions 1.6.4 or older is at risk.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity with a score of 8.8, while the EPSS score of less than 1% suggests that the likelihood of exploitation is currently low but not impossible. The vulnerability is not yet listed in the CISA KEV catalog. An attacker can exploit this flaw by sending an unauthenticated CSRF request to an administrator’s browser, typically by tricking the user into clicking a malicious link or visiting a compromised site. Because the attacker only requires the target to interact with a link, the threat model is widespread for sites that have an active administrator portal and no CSRF protection in place.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ThemeMakers

Car Dealer Automotive WordPress Theme – Responsive

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.6.4

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Cardealer WordPress theme to the latest version that fixes the CSRF vulnerability.
If an upgrade cannot be performed, manually add nonce validation to the update_user_profile function or disable that function entirely for administrators.
As a temporary safeguard, restrict access to the WordPress admin area for administrators to trusted IP addresses or enable two‑factor authentication for admin accounts.

Generated by OpenCVE AI on April 21, 2026 at 22:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-5485	The Cardealer theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.4. This is due to missing nonce validation on the 'update_user_profile' function. This makes it possible for unauthenticated attackers to update the user email and password via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00064.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://themeforest.net/item/car-dealer-automotive-wordpress-theme-responsive/8574708
https://webtemplatemasters.com/cardealer/changelog/#v165
https://www.wordfence.com/threat-intel/vulnerabilities/id/6305b7be-8651-4028-a8cf-ea58b4977225?source=cve

History

Tue, 04 Mar 2025 03:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 27 Feb 2025 23:30:00 +0000

Type	Values Removed	Values Added
Description		The Cardealer theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.4. This is due to missing nonce validation on the 'update_user_profile' function. This makes it possible for unauthenticated attackers to update the user email and password via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
Title		Cardealer <= 1.6.4 - Cross-Site Request Forgery to User Update via update_user_profile
Weaknesses		CWE-352
References		https://themeforest.net/item/car-dealer-automotive-wordpress-theme-responsive/8574708 https://webtemplatemasters.com/cardealer/changelog/#v165 https://www.wordfence.com/threat-intel/vulnerabilities/id/6305b7be-8651-4028-a8cf-ea58b4977225?source=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-02-27T23:22:39.776Z

Updated: 2026-04-08T16:57:12.337Z

Reserved: 2025-02-25T10:38:35.575Z

Link: CVE-2025-1687

Vulnrichment

Updated: 2025-02-28T14:47:20.617Z

NVD

Status : Deferred

Published: 2025-02-28T00:15:36.240

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-1687

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T22:15:45Z

Weaknesses

CWE-352

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object