Platform
wordpress
Component
cardealer
Fixed in
1.6.8
CVE-2026-24391 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in ThemeMakers Car Dealer, a WordPress plugin. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability impacts versions from 0.0.0 up to and including 1.6.7, but a patch is available in version 1.6.8.
The primary impact of this Reflected XSS vulnerability is the potential for an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can be exploited to steal sensitive information such as session cookies, allowing the attacker to impersonate the user. Attackers could also redirect users to malicious websites, deface the website, or inject malware. The scope of the attack is limited to users who interact with the vulnerable page, but the potential for widespread impact exists if the plugin is widely deployed and user interaction is frequent. Successful exploitation requires an attacker to craft a malicious URL containing the XSS payload and entice a victim to click it.
CVE-2026-24391 was publicly disclosed on 2026-03-25. No known public exploits or active campaigns targeting this vulnerability have been reported as of this writing. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 7.1 (High) indicates a significant risk, and the availability of a patch suggests that exploitation is likely to occur if the vulnerability remains unpatched.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The most effective mitigation for CVE-2026-24391 is to immediately upgrade the ThemeMakers Car Dealer plugin to version 1.6.8 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious input. Specifically, look for patterns indicative of XSS payloads, such as <script> tags or event handlers. Input validation and output encoding on the server-side can also help prevent XSS, but this is a more complex workaround. Regularly scan your WordPress installation for vulnerable plugins using a security scanner.
Update to version 1.6.8, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24391 is a Reflected XSS vulnerability in the ThemeMakers Car Dealer WordPress plugin, allowing attackers to inject malicious scripts into web pages.
You are affected if you are using ThemeMakers Car Dealer versions 0.0.0 through 1.6.7. Upgrade to 1.6.8 to mitigate the risk.
Upgrade the ThemeMakers Car Dealer plugin to version 1.6.8 or later. Consider WAF rules as a temporary workaround.
No active exploitation has been confirmed as of this writing, but the High severity score suggests potential for future attacks.
Refer to the ThemeMakers website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.