Primary

Context

CarSpot WordPress Theme Privilege Escalation Vulnerability Allowing Account Takeover

Vulnerability

Patched

A vulnerability in the CarSpot – Dealership WordPress Classified Theme, affecting all versions through 2.4.3, allows for privilege escalation via account takeover. The issue arises because the theme fails to properly validate a token before updating a user's password. This flaw enables unauthenticated attackers to reset passwords for any user, including administrators, and gain access to their accounts.

Impact

Exploitation of this vulnerability allows for unauthorized password resets, leading to account takeovers, including those of administrators.

Remediation

Users are advised to update the theme to version 2.4.4 or a newer patched version.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

5.0

exploitability

7.6

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

5.0

exploitability

7.6

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

CarSpot WordPress Theme Privilege Escalation Vulnerability Allowing Account Takeover

Vulnerability

Impact

Remediation

Affected Products

CarSpot

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating