Primary

Context

VikRentCar WordPress Plugin Cross-Site Request Forgery Vulnerability Allowing Arbitrary File Upload

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the VikRentCar Car Rental Management System plugin for WordPress, affecting all versions through 1.4.2. The vulnerability arises from inadequate nonce validation in the 'save' function, allowing unauthenticated attackers to manipulate plugin access rights by tricking a site administrator into clicking a link. Exploitation of this vulnerability enables users with subscriber-level privileges or higher to upload arbitrary files to the server, potentially leading to remote code execution.

Impact

Successful exploitation allows authenticated users with subscriber privileges and above to upload arbitrary files to the server, which could be used to execute malicious code remotely.

Remediation

Users are advised to update the VikRentCar WordPress plugin to version 1.4.3 or later.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

5.7

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

5.7

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

VikRentCar WordPress Plugin Cross-Site Request Forgery Vulnerability Allowing Arbitrary File Upload

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating