{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14040", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-04T15:56:07.226Z", "datePublished": "2026-02-27T06:43:48.758Z", "dateUpdated": "2026-04-08T16:35:11.413Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:11.413Z"}, "affected": [{"vendor": "themesuite", "product": "Automotive Car Dealership Business WordPress Theme", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "13.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Call to Action' custom fields in all versions up to, and including, 13.4. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'action_text', 'action_button_text', 'action_link', and 'action_class' custom fields. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Automotive Car Dealership Business WordPress Theme <= 13.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Call to Action Fields", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0cd4b65d-b916-432f-bb59-d2f8a9aadeac?source=cve"}, {"url": "https://themeforest.net/item/automotive-car-dealership-business-wordpress-theme/9210971"}, {"url": "https://themeforest.net/item/automotive-car-dealership-business-wordpress-theme/9210971#item-description__changelog"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Mateusz Gierblinski"}], "timeline": [{"time": "2026-02-26T18:08:31.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T18:45:43.346413Z", "id": "CVE-2025-14040", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T18:45:51.725Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14040", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T18:45:43.346413Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T18:45:48.690Z"}}], "cna": {"title": "Automotive Car Dealership Business WordPress Theme <= 13.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Call to Action Fields", "credits": [{"lang": "en", "type": "finder", "value": "Mateusz Gierblinski"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "themesuite", "product": "Automotive Car Dealership Business WordPress Theme", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "13.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-26T18:08:31.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0cd4b65d-b916-432f-bb59-d2f8a9aadeac?source=cve"}, {"url": "https://themeforest.net/item/automotive-car-dealership-business-wordpress-theme/9210971"}, {"url": "https://themeforest.net/item/automotive-car-dealership-business-wordpress-theme/9210971#item-description__changelog"}], "descriptions": [{"lang": "en", "value": "The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Call to Action' custom fields in all versions up to, and including, 13.4. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'action_text', 'action_button_text', 'action_link', and 'action_class' custom fields. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:11.413Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14040", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:35:11.413Z", "dateReserved": "2025-12-04T15:56:07.226Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-27T06:43:48.758Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Call to Action' custom fields in all versions up to, and including, 13.4. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'action_text', 'action_button_text', 'action_link', and 'action_class' custom fields. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El tema de WordPress 'Automotive Car Dealership Business' para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de los campos personalizados 'Call a Action' en todas las versiones hasta la 13.4, inclusive. Esto se debe a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes en los atributos proporcionados por el usuario en los campos personalizados 'action_text', 'action_button_text', 'action_link' y 'action_class'. Esto permite a atacantes autenticados, con permisos de nivel de colaborador y superiores, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2025-14040", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-27T07:17:09.710", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/automotive-car-dealership-business-wordpress-theme/9210971"}, {"source": "security@wordfence.com", "url": "https://themeforest.net/item/automotive-car-dealership-business-wordpress-theme/9210971#item-description__changelog"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0cd4b65d-b916-432f-bb59-d2f8a9aadeac?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,13.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Automotive Car Dealership Business WordPress Theme", "source": "cna", "vendor": "themesuite"}, "product": "automotive_car_dealership_business_wordpress_theme", "vendor": "themesuite"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-22T15:24:49.080672+00:00", "value": {"mitigation_remediation": ["Upgrade the theme to version 13.5 or newer to remove the vulnerable Call to Action fields.", "If upgrading is not immediately possible, remove or disable the Call to Action custom fields for all user roles, or reduce contributor accounts to read\u2011only permissions.", "Deploy a web application firewall rule that blocks or sanitizes scripts injected into the Call to Action fields to mitigate exploitation until a patch is applied."], "summary": {"action": "Update Theme", "impact": "Stored Cross\u2011Site Scripting (XSS) via Call to Action fields"}, "threat_synthesis": {"affected_systems": "All installations of the Automotive Car Dealership Business WordPress Theme up to and including version 13.4 are affected. Only accounts with contributor or higher privileges can exploit the flaw.", "description_and_impact": "The theme contains a stored XSS vulnerability in its Call to Action custom fields. Insufficient input sanitization and output escaping allow an attacker with contributor\u2011level or higher permissions to inject arbitrary JavaScript. The injected script executes for any user who views the affected page, potentially compromising accounts, defacing content, or stealing session cookies.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a medium severity risk, while the EPSS score of less than 1\u2009% suggests low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, but it remains a potential threat because the attacker requires only contributor access, a privilege granted to many users. Exploitation would involve a user\u2011initiated insert of malicious script into the custom fields, which will then be rendered unsafely on page load."}}}}, "created": "2026-02-27T16:06:09.567592+00:00", "updated": "2026-04-22T15:30:20.777911+00:00", "vendors": ["themesuite", "themesuite$PRODUCT$automotive_car_dealership_business_wordpress_theme", "wordpress", "wordpress$PRODUCT$wordpress"]}