Plattform
wordpress
Komponente
car-dealer-automotive-responsive
Behoben in
1.6.4
CVE-2025-1282 is an arbitrary file access vulnerability discovered in the Car Dealer Automotive WordPress Theme – Responsive. This flaw allows authenticated attackers, with Subscriber-level access or higher, to delete arbitrary files on the server, potentially leading to remote code execution. The vulnerability affects versions 1.0.0 through 1.6.3 of the theme, and a fix is available in subsequent versions.
The primary impact of CVE-2025-1282 is the ability for an authenticated attacker to delete arbitrary files on the web server. This is particularly concerning because the attacker can target critical configuration files, such as wp-config.php, which contains database credentials and other sensitive information. Deletion of wp-config.php can lead to complete compromise of the WordPress installation, allowing the attacker to gain full control over the server. The vulnerability also allows for the potential reading of arbitrary files, further expanding the attacker's reconnaissance capabilities. This vulnerability shares similarities with other file access vulnerabilities in WordPress themes where insufficient input validation allows for manipulation of file paths.
CVE-2025-1282 was publicly disclosed on 2025-02-27. While no public proof-of-concept (PoC) has been released at the time of writing, the ease of exploitation, combined with the theme's popularity, suggests a moderate risk of exploitation. The vulnerability has not been added to the CISA KEV catalog as of this date. Active campaigns targeting WordPress themes are common, so vigilance is advised.
WordPress websites using the Car Dealer Automotive WordPress Theme – Responsive are at risk. Specifically, sites running versions 1.0.0 through 1.6.3 are vulnerable. Shared hosting environments are particularly at risk, as they often have limited control over file permissions and security configurations. Sites with weak password policies or compromised user accounts are also more susceptible to exploitation.
• wordpress / composer / npm:
wp plugin list | grep 'Car Dealer Automotive WordPress Theme'• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
grep -r 'delete_post_photo' /var/www/html/wp-content/plugins/car-dealer-responsive/• wordpress / composer / npm:
wp plugin status | grep 'Car Dealer Automotive WordPress Theme'disclosure
Exploit-Status
EPSS
1.00% (77% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-1282 is to upgrade the Car Dealer Automotive WordPress Theme – Responsive to a version that includes the fix. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include restricting file permissions on the WordPress installation to prevent unauthorized file deletion, and implementing a Web Application Firewall (WAF) rule to block requests that attempt to access or delete files outside of the designated upload directories. Regularly review WordPress plugin and theme updates to ensure timely patching of vulnerabilities.
Actualice el tema Car Dealer Automotive WordPress Theme – Responsive a la última versión disponible (superior a 1.6.3) para corregir la vulnerabilidad de eliminación y lectura arbitraria de archivos. Asegúrese de realizar una copia de seguridad completa del sitio antes de actualizar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-1282 is a HIGH severity vulnerability in the Car Dealer Automotive WordPress Theme allowing authenticated users to delete arbitrary files, potentially leading to remote code execution.
Yes, if your WordPress site uses the Car Dealer Automotive WordPress Theme – Responsive version 1.0.0–1.6.3, you are affected by this vulnerability.
Upgrade the Car Dealer Automotive WordPress Theme – Responsive to a patched version. If immediate upgrade is not possible, implement temporary workarounds like restricting file permissions or using a WAF.
There is currently no indication of active exploitation, but the vulnerability's potential for RCE makes it a potential target.
Refer to the official WordPress plugin repository and the theme developer's website for updates and advisories related to CVE-2025-1282.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.