HIGHCVE-2025-1282CVSS 8.8

CVE-2025-1282: Arbitrary File Access in Car Dealer Theme

Platform

wordpress

Component

car-dealer-automotive-responsive

Fixed in

1.6.4

AI Confidence: highNVDEPSS 1.0%Reviewed: May 2026

View on NVD

Save

CVE-2025-1282 is an arbitrary file access vulnerability discovered in the Car Dealer Automotive WordPress Theme – Responsive. This flaw allows authenticated attackers, with Subscriber-level access or higher, to delete arbitrary files on the server, potentially leading to remote code execution. The vulnerability affects versions 1.0.0 through 1.6.3 of the theme, and a fix is available in subsequent versions.

Impact and Attack Scenarios

The primary impact of CVE-2025-1282 is the ability for an authenticated attacker to delete files on the WordPress server. While the vulnerability requires Subscriber-level access, this is a common user role, making a large number of sites potentially vulnerable. The most critical scenario involves deleting the wp-config.php file, which contains sensitive database credentials and configuration settings. Deletion of this file would effectively disable the WordPress site and potentially allow an attacker to gain control of the database. The description also indicates the possibility of reading arbitrary files via the add_car() function, although file deletion presents the more immediate and severe risk. This vulnerability shares similarities with other file access vulnerabilities in WordPress themes where insufficient input validation allows for unauthorized file manipulation.

Exploitation Context

CVE-2025-1282 was publicly disclosed on February 27, 2025. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released, but the ease of exploitation, combined with the potential for remote code execution, suggests that it could become a target for malicious actors. The vulnerability has not been added to the CISA KEV catalog as of this writing.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

1.00% (77% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impacttotal

CVSS Vector

Affected Software

Componentcar-dealer-automotive-responsive

VendorThemeMakers

Affected rangeFixed in

0 – 1.6.31.6.4

Weakness Classification (CWE)

CWE-22

Timeline

Reserved2025-02-13
Published2025-02-27
Modified2026-04-08
EPSS updated2026-04-02

Unpatched — 451 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2025-1282 is to upgrade the Car Dealer Automotive WordPress Theme – Responsive to a version that includes the fix. If an immediate upgrade is not possible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include restricting file permissions on the server to prevent unauthorized file deletion, or implementing a Web Application Firewall (WAF) rule to block requests that attempt to access or delete files outside of designated directories. Regularly review WordPress plugin and theme updates to proactively address potential vulnerabilities. After upgrading, confirm the fix by attempting to access and delete files outside of the intended upload directories using an authenticated user account with Subscriber privileges.

How to fix

Actualice el tema Car Dealer Automotive WordPress Theme – Responsive a la última versión disponible (superior a 1.6.3) para corregir la vulnerabilidad de eliminación y lectura arbitraria de archivos. Asegúrese de realizar una copia de seguridad completa del sitio antes de actualizar.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-1282 — Arbitrary File Access in Car Dealer Theme?

CVE-2025-1282 is a HIGH severity vulnerability in the Car Dealer Automotive WordPress Theme allowing authenticated users to delete arbitrary files, potentially leading to remote code execution.

Am I affected by CVE-2025-1282 in Car Dealer Theme?

Yes, if your WordPress site uses the Car Dealer Automotive WordPress Theme – Responsive version 1.0.0–1.6.3, you are affected by this vulnerability.

How do I fix CVE-2025-1282 in Car Dealer Theme?

Upgrade the Car Dealer Automotive WordPress Theme – Responsive to a patched version. If immediate upgrade is not possible, implement temporary workarounds like restricting file permissions or using a WAF.

Is CVE-2025-1282 being actively exploited?

There is currently no indication of active exploitation, but the vulnerability's potential for RCE makes it a potential target.

Where can I find the official Car Dealer Theme advisory for CVE-2025-1282?

Refer to the official WordPress plugin repository and the theme developer's website for updates and advisories related to CVE-2025-1282.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

Scan free

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: High — complete crash or resource exhaustion. Full denial of service.