Plattform
wordpress
Komponente
wp-cardealer
Behoben in
1.2.17
CVE-2025-13764 describes a Privilege Escalation vulnerability affecting the WP CarDealer plugin for WordPress. This flaw allows unauthenticated attackers to escalate their privileges to administrator level by manipulating user roles during registration. The vulnerability impacts versions 0.0 through 1.2.16 of the plugin, and a patch is available in version 1.2.17.
The impact of this vulnerability is severe. An unauthenticated attacker can exploit it to gain full administrative control over a WordPress site running an affected version of WP CarDealer. This grants them the ability to modify content, install malicious plugins, steal sensitive data, and potentially compromise the entire system. The attacker could exfiltrate user credentials, financial information, or other confidential data stored on the site. The ease of exploitation, requiring only a crafted registration request, significantly increases the risk of widespread compromise.
This vulnerability was publicly disclosed on 2025-12-11. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and the critical severity make it a high-priority target. The vulnerability's nature, allowing for privilege escalation without authentication, aligns with common attack patterns. No KEV listing is currently available.
Websites utilizing the WP CarDealer plugin, particularly those with limited security hardening or those running older, unpatched versions of WordPress, are at significant risk. Shared hosting environments where multiple websites share the same server are also vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'WP_CarDealer_User::process_register' /var/www/html/wp-content/plugins/wp-cardealer/• wordpress / composer / npm:
wp plugin list --status=all | grep 'wp-cardealer'• wordpress / composer / npm:
wp plugin update wp-cardealer --alldisclosure
Exploit-Status
EPSS
0.15% (35% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade the WP CarDealer plugin to version 1.2.17 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling user registration on the WordPress site to prevent new accounts from being created with elevated privileges. Web Application Firewalls (WAFs) configured to inspect registration requests for suspicious role assignments can provide an additional layer of protection. Monitor WordPress logs for unusual registration attempts or changes to user roles.
Aktualisieren Sie auf Version 1.2.17 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-13764 is a critical vulnerability in the WP CarDealer WordPress plugin allowing unauthenticated attackers to gain administrator access by manipulating user roles during registration.
You are affected if you are using WP CarDealer versions 0.0 through 1.2.16. Immediately check your plugin version and upgrade if necessary.
Upgrade the WP CarDealer plugin to version 1.2.17 or later to resolve the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
There is currently no confirmed active exploitation, but the vulnerability's simplicity makes it a likely target for attackers.
Refer to the official WP CarDealer plugin website and WordPress.org plugin repository for the latest security advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.