Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeMakers Car Dealer cardealer allows Reflected XSS.This issue affects Car Dealer: from n/a through <= 1.6.7.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS) leading to client‑side code execution
Action: Patch Now
AI Analysis

Impact

The vulnerability is a reflected XSS caused by improper input neutralization in ThemeMakers Car Dealer theme. A crafted request can inject JavaScript that executes in the victim’s browser. This allows an attacker to steal cookies, hijack user sessions, or perform malicious actions while the user is logged in. The impact is on confidentiality and integrity of user data and can lead to further compromises such as phishing or credential theft.

Affected Systems

The issue affects WordPress sites that have the Car Dealer theme from any unreleased version through version 1.6.7. The vendor is ThemeMakers and the product is the Car Dealer theme.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate to high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but XSS remains a common exploitation vector. The likely attack vector is an innocent user clicking a malicious URL or link. No special authentication or privilege is required, so any user visiting the site is a target. Given the widespread use of the theme, the risk of exploitation is significant for affected sites.

Generated by OpenCVE AI on March 25, 2026 at 22:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Car Dealer theme to the latest version 1.6.8 or later, which contains the XSS fix
  • Verify that all theme files are intact and have not been tampered with
  • Implement generic input sanitization or use a plugin like Wordfence to block reflected XSS attempts
  • Ensure that all users understand that clicking unexpected URLs can lead to attacks
  • Consider disabling the theme temporarily until a patch is applied if an immediate upgrade is not feasible

Generated by OpenCVE AI on March 25, 2026 at 22:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Thememakers
Thememakers car Dealer
Wordpress
Wordpress wordpress
Vendors & Products Thememakers
Thememakers car Dealer
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeMakers Car Dealer cardealer allows Reflected XSS.This issue affects Car Dealer: from n/a through <= 1.6.7.
Title WordPress Car Dealer theme <= 1.6.7 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Thememakers Car Dealer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-24T15:35:43.211Z

Reserved: 2026-01-22T14:42:48.126Z

Link: CVE-2026-24391

cve-icon Vulnrichment

Updated: 2026-03-25T20:20:51.334Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:38.383

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-24391

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:13:09Z

Weaknesses