{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1681", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-25T09:39:21.563Z", "datePublished": "2025-02-27T23:22:38.865Z", "dateUpdated": "2026-04-08T16:47:50.849Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:50.849Z"}, "affected": [{"vendor": "ThemeMakers", "product": "Car Dealer Automotive WordPress Theme \u2013 Responsive", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.6.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Cardealer theme for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check and missing filename sanitization on the demo theme scheme AJAX functions in versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to change or delete arbitrary css and js files."}], "title": "Cardealer <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Change and Delete JS and CSS Files", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e394ee2-13c1-4b04-a8a5-4642f1794d59?source=cve"}, {"url": "https://themeforest.net/item/car-dealer-automotive-wordpress-theme-responsive/8574708"}, {"url": "https://webtemplatemasters.com/cardealer/changelog/#v165"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}], "timeline": [{"time": "2025-02-25T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-02-25T00:00:00.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-02-27T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-28T14:59:42.739618Z", "id": "CVE-2025-1681", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-28T14:59:56.825Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1681", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-28T14:59:42.739618Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-28T14:59:49.066Z"}}], "cna": {"title": "Cardealer <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Change and Delete JS and CSS Files", "credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"}}], "affected": [{"vendor": "ThemeMakers", "product": "Car Dealer Automotive WordPress Theme \u2013 Responsive", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.6.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-02-25T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-02-25T00:00:00.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-02-27T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e394ee2-13c1-4b04-a8a5-4642f1794d59?source=cve"}, {"url": "https://themeforest.net/item/car-dealer-automotive-wordpress-theme-responsive/8574708"}, {"url": "https://webtemplatemasters.com/cardealer/changelog/#v165"}], "descriptions": [{"lang": "en", "value": "The Cardealer theme for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check and missing filename sanitization on the demo theme scheme AJAX functions in versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to change or delete arbitrary css and js files."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:50.849Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1681", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:47:50.849Z", "dateReserved": "2025-02-25T09:39:21.563Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-02-27T23:22:38.865Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Cardealer theme for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check and missing filename sanitization on the demo theme scheme AJAX functions in versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to change or delete arbitrary css and js files."}, {"lang": "es", "value": "El tema Cardealer para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos y a la p\u00e9rdida de datos debido a la falta de una verificaci\u00f3n de capacidad y de una depuraci\u00f3n de nombres de archivo en las funciones AJAX del esquema del tema de demostraci\u00f3n en versiones hasta la 1.6.4 incluida. Esto permite que atacantes autenticados, con acceso de nivel de suscriptor o superior, cambien o eliminen archivos CSS y JS arbitrarios."}], "id": "CVE-2025-1681", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-02-28T00:15:35.950", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/car-dealer-automotive-wordpress-theme-responsive/8574708"}, {"source": "security@wordfence.com", "url": "https://webtemplatemasters.com/cardealer/changelog/#v165"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e394ee2-13c1-4b04-a8a5-4642f1794d59?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T02:04:20.161946+00:00", "value": {"mitigation_remediation": ["Upgrade the Cardealer theme to version 1.6.5 or later, where the missing capability checks and filename sanitization have been implemented.", "If an immediate upgrade is not possible, remove or restrict the subscriber+ role capability to trigger the vulnerable AJAX functions by adding a custom role\u2011based access control rule or using a security plugin to block the relevant endpoints.", "Validate the integrity of all theme CSS and JavaScript files after the upgrade.", "Enable WordPress's DISALLOW_FILE_EDIT setting to prevent future unauthorized file writes."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized file modification"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the ThemeMakers Car Dealer Automotive WordPress Theme \u2013 Responsive, versions up to and including 1.6.4, are susceptible.", "description_and_impact": "The vulnerability in the Cardealer WordPress theme allows an authenticated user with subscriber or higher capabilities to modify or delete JavaScript and CSS files through AJAX functions that lack proper capability checks and filename sanitization. This shortfall enables an attacker to alter styles and scripts that affect the visual presentation and client\u2011side behaviour of the site, potentially rendering pages unusable or enabling the injection of malicious code. The impact is limited to data modification and availability rather than arbitrary code execution, but it undermines the integrity of the theme\u2019s assets.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of active exploitation. The vulnerability is not currently listed in the CISA KEV catalog. Although the attack vector is not explicitly stated, it is inferred that the exploitation occurs via web\u2011based AJAX endpoints that an authenticated user can reach, so the threat requires legitimate user credentials but no elevated privileges."}}}}, "created": "2026-04-22T02:15:05.410222+00:00", "updated": "2026-04-22T02:15:05.410232+00:00", "vendors": []}