Primary

Context

WordPress Cardealer Theme Missing Authorization Vulnerability in AJAX Functions Allowing Unauthorized Data Modification and Deletion

Vulnerability

Patched

A vulnerability exists in the Cardealer theme for WordPress, specifically in versions through 1.6.4. The issue arises from a lack of proper capability checks and filename sanitization in the demo theme scheme AJAX functions. This vulnerability enables authenticated attackers with subscriber-level access and above to unauthorizedly modify or delete arbitrary CSS and JavaScript files, leading to potential data loss and unauthorized data changes.

Impact

Exploitation of this vulnerability could result in unauthorized modification or deletion of CSS and JavaScript files, allowing for potential data loss or disruption of site functionality.

Remediation

Users are advised to update the Cardealer theme to version 1.6.5 or a newer patched version.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

5.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

5.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WordPress Cardealer Theme Missing Authorization Vulnerability in AJAX Functions Allowing Unauthorized Data Modification and Deletion

Vulnerability

Impact

Remediation

Affected Products

WebTemplateMasters CarDealer

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating