Car Dealer Automotive WordPress Theme Arbitrary File Deletion Vulnerability
Vulnerability
A vulnerability allowing arbitrary file deletion has been identified in the Car Dealer Automotive WordPress Theme, responsive version, in all releases through 1.6.3. This issue arises from inadequate file path validation in the 'delete_post_photo()' and 'add_car()' functions. Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability to delete arbitrary files on the server. Such actions could lead to remote code execution, particularly if critical files like 'wp-config.php' are targeted. Additionally, the 'add_car()' function may allow reading of arbitrary files.
Impact
Exploitation of this vulnerability could result in unauthorized deletion of files on the server, with the potential for remote code execution if a sensitive file is removed.
Remediation
Users are advised to update the Car Dealer Automotive WordPress Theme to version 1.6.4 or a newer patched version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.