Description
The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the do_updatecar and createcar functions in all versions up to, and including, 1.4.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible.
Published: 2025-07-03
Score: 7.2 High
EPSS: 2.6% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The VikRentCar Car Rental Management System plugin for WordPress contains a flaw that permits uploading files of any type because the plugin's do_updatecar and createcar functions do not validate the MIME type or file extension. This is a classic improper file type validation weakness (CWE‑434). Attacker with Administrator or higher privileges can insert an executable or a malicious script onto the web server. Once placed in a directory that is served by the web server, the file can be accessed and run, allowing remote code execution or other destructive actions.

Affected Systems

VikRentCar Car Rental Management System, published by e4jvikwp, for WordPress. Versions up to and including 1.4.3 are affected. The vulnerability is present in the plugin’s administrator‑only functions, so any installation of the plugin that uses these functions poses a risk.

Risk and Exploitability

The plugin’s CVSS score is 7.2, indicating a high severity. The EPSS score is 3 %, indicating a moderate likelihood that active exploitation is occurring and that this flaw may be targeted by attackers. It is not listed in the CISA KEV catalog. An attacker would need to be authenticated as Administrator or higher; there is no authentication bypass described. Once the arbitrary file is uploaded, the risk escalates immediately to remote code execution.

Generated by OpenCVE AI on April 29, 2026 at 21:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official update of the VikRentCar Car Rental Management System plugin that addresses the file type validation flaw.
  • Temporarily deactivate or uninstall the plugin until a vendor patch is released.
  • Configure WordPress upload settings or use a security plugin to restrict uploaded file types, ensuring that uploaded files are not placed in Web‑exposed directories.

Generated by OpenCVE AI on April 29, 2026 at 21:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19909 The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the do_updatecar and createcar functions in all versions up to, and including, 1.4.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible.
History

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00292}

 epss

{'score': 0.00484}

Thu, 10 Jul 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared E4jconnect
E4jconnect vikrentcar
CPEs cpe:2.3:a:e4jconnect:vikrentcar:*:*:*:*:*:wordpress:*:*
Vendors & Products E4jconnect
E4jconnect vikrentcar

Tue, 08 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 03 Jul 2025 21:45:00 +0000

Type Values Removed Values Added
Description The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the do_updatecar and createcar functions in all versions up to, and including, 1.4.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible.
Title VikRentCar Car Rental Management System <= 1.4.3 - Authenticated (Administrator+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

E4j Vikrentcar Car Rental Management System
E4jconnect Vikrentcar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:23.195Z

Reserved: 2025-05-29T08:16:36.557Z

Link: CVE-2025-5322

cve-icon Vulnrichment

Updated: 2025-07-08T14:29:43.367Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-03T22:15:21.287

Modified: 2025-07-10T15:15:29.830

Link: CVE-2025-5322

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:15:16Z

Weaknesses