{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1282", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-13T16:19:05.700Z", "datePublished": "2025-02-27T08:22:04.186Z", "dateUpdated": "2026-04-08T17:31:41.327Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:41.327Z"}, "affected": [{"vendor": "ThemeMakers", "product": "Car Dealer Automotive WordPress Theme \u2013 Responsive", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.6.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Car Dealer Automotive WordPress Theme \u2013 Responsive theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_post_photo() and add_car() functions in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The add_car() function may also make it possible to read arbitrary files."}], "title": "Car Dealer Automotive WordPress Theme \u2013 Responsive <= 1.6.3 - Authenticated (Subscriber+) Arbitrary File Deletion and Read", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/edf4b588-8b67-425a-b0e1-d4382cb88dd1?source=cve"}, {"url": "https://themeforest.net/item/car-dealer-automotive-wordpress-theme-responsive/8574708?s_rank=7"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Tonn"}], "timeline": [{"time": "2025-02-26T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-27T14:35:39.269982Z", "id": "CVE-2025-1282", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-27T14:35:51.725Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-1282", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-13T16:19:05.700Z", "datePublished": "2025-02-27T08:22:04.186Z", "dateUpdated": "2025-02-27T14:35:51.725Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-02-27T08:22:04.186Z"}, "affected": [{"vendor": "ThemeMakers", "product": "Car Dealer Automotive WordPress Theme \u2013 Responsive", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "1.6.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Car Dealer Automotive WordPress Theme \u2013 Responsive theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_post_photo() and add_car() functions in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The add_car() function may also make it possible to read arbitrary files."}], "title": "Car Dealer Automotive WordPress Theme \u2013 Responsive <= 1.6.3 - Authenticated (Subscriber+) Arbitrary File Deletion and Read", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/edf4b588-8b67-425a-b0e1-d4382cb88dd1?source=cve"}, {"url": "https://themeforest.net/item/car-dealer-automotive-wordpress-theme-responsive/8574708?s_rank=7"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Tonn"}], "timeline": [{"time": "2025-02-26T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1282", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-27T14:35:39.269982Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-27T14:35:45.993Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:thememakers:car_dealer_automotive:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "F90D141E-7327-438B-B191-463209F2DA30", "versionEndExcluding": "1.6.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Car Dealer Automotive WordPress Theme \u2013 Responsive theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_post_photo() and add_car() functions in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The add_car() function may also make it possible to read arbitrary files."}, {"lang": "es", "value": "El tema Car Dealer Automotive WordPress \u2013 Responsive theme for WordPress es vulnerable a la eliminaci\u00f3n arbitraria de archivos debido a una validaci\u00f3n insuficiente de la ruta de archivo en las funciones delete_post_photo() y add_car() en todas las versiones hasta la 1.6.3 incluida. Esto permite que atacantes autenticados, con acceso de nivel de suscriptor o superior, eliminen archivos arbitrarios en el servidor, lo que puede conducir f\u00e1cilmente a la ejecuci\u00f3n remota de c\u00f3digo cuando se elimina el archivo correcto (como wp-config.php). La funci\u00f3n add_car() tambi\u00e9n puede permitir la lectura de archivos arbitrarios."}], "id": "CVE-2025-1282", "lastModified": "2025-03-11T16:08:00.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-02-27T09:15:10.160", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://themeforest.net/item/car-dealer-automotive-wordpress-theme-responsive/8574708?s_rank=7"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/edf4b588-8b67-425a-b0e1-d4382cb88dd1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T23:46:06.004812+00:00", "value": {"mitigation_remediation": ["Update the Car Dealer Automotive WordPress Theme to the latest version (1.6.4 or later) where the path validation bug is fixed.", "Restrict or remove the delete capability from Subscriber and lower roles, for example by using a role\u2011management plugin to revoke the relevant capabilities.", "If an immediate update is not feasible, apply a temporary workaround by disabling the delete_post_photo() and add_car() functions\u2014through code alteration or conditional hooks\u2014and ensure file permissions on the server prevent deletion of critical files."], "summary": {"action": "Apply Patch", "impact": "Arbitrary file deletion and read"}, "threat_synthesis": {"affected_systems": "Affected products are the Car Dealer Automotive WordPress Theme \u2013 Responsive from ThemeMakers. All released versions up to and including 1.6.3 are vulnerable. No other versions or vendor products are currently reported as affected.", "description_and_impact": "The theme contains an insufficient file path validation flaw in the delete_post_photo() and add_car() functions. An authenticated attacker who has Subscriber-level access or higher can supply arbitrary file paths, causing the server to delete any file or read its contents. Because key configuration files such as wp-config.php can be removed, this flaw can lead to remote code execution. The weakness corresponds to path traversal and unauthorized file manipulation.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity vulnerability, and an EPSS score of 4% shows a non\u2011trivial likelihood of exploitation under current threat conditions. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated and hold at least Subscriber privileges; they can then invoke the delete_post_photo() or add_car() endpoints, providing a crafted file path, to delete or read files on the server. If a critical file such as wp-config.php is removed, arbitrary code execution can follow through subsequent application behavior."}}}}, "created": "2026-04-21T00:00:13.354196+00:00", "updated": "2026-04-21T00:00:13.354217+00:00", "vendors": []}