Platform
wordpress
Component
wp-cardealer
Fixed in
1.2.17
CVE-2025-13764 describes a Privilege Escalation vulnerability affecting the WP CarDealer plugin for WordPress. This flaw allows unauthenticated attackers to escalate their privileges to administrator level by manipulating user roles during registration. The vulnerability impacts versions 0.0 through 1.2.16 of the plugin, and a patch is available in version 1.2.17.
The impact of this vulnerability is severe. An unauthenticated attacker can exploit it to gain full administrative control over a WordPress site running an affected version of WP CarDealer. This grants them the ability to modify content, install malicious plugins, steal sensitive data (user credentials, financial information, customer data), and potentially compromise the entire server. The ease of exploitation, requiring only a crafted registration request, significantly increases the risk of widespread attacks. This vulnerability is particularly concerning given the popularity of WordPress and the potential for large-scale compromise.
This vulnerability was publicly disclosed on December 11, 2025. There is currently no indication of active exploitation in the wild, but the ease of exploitation and the plugin's popularity make it a high-priority target. The vulnerability's simplicity suggests that public proof-of-concept exploits are likely to emerge. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.15% (35% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the WP CarDealer plugin to version 1.2.17 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting user registration to trusted sources or implementing stricter role-based access controls within WordPress. While not a complete solution, a Web Application Firewall (WAF) could be configured to block suspicious registration requests containing administrator role assignments. Monitor WordPress logs for unusual registration attempts and newly created administrator accounts. After upgrading, verify the fix by attempting to register a new user with the 'administrator' role; the registration should fail.
Update to version 1.2.17, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13764 is a critical vulnerability in the WP CarDealer WordPress plugin allowing unauthenticated attackers to gain administrator access by manipulating user roles during registration.
You are affected if you are using WP CarDealer versions 0.0 through 1.2.16. Immediately check your plugin version and upgrade if necessary.
Upgrade the WP CarDealer plugin to version 1.2.17 or later to resolve the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
There is currently no confirmed active exploitation, but the vulnerability's simplicity makes it a likely target for attackers.
Refer to the official WP CarDealer plugin website and WordPress.org plugin repository for the latest security advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.