平台
wordpress
组件
cardealer
修复版本
1.6.8
CVE-2026-24391 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in ThemeMakers Car Dealer, a WordPress plugin. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability impacts versions from 0.0.0 up to and including 1.6.7, but a patch is available in version 1.6.8.
The primary impact of this Reflected XSS vulnerability is the potential for an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can be exploited to steal sensitive information such as session cookies, allowing the attacker to impersonate the user. Attackers could also redirect users to malicious websites, deface the website, or inject malware. The scope of the attack is limited to users who interact with the vulnerable page, but the potential for widespread impact exists if the plugin is widely deployed and user interaction is frequent. Successful exploitation requires an attacker to craft a malicious URL containing the XSS payload and entice a victim to click it.
CVE-2026-24391 was publicly disclosed on 2026-03-25. No known public exploits or active campaigns targeting this vulnerability have been reported as of this writing. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 7.1 (High) indicates a significant risk, and the availability of a patch suggests that exploitation is likely to occur if the vulnerability remains unpatched.
Websites utilizing the ThemeMakers Car Dealer plugin, particularly those with user input fields that are not properly sanitized, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r '<script>' /var/www/html/wp-content/plugins/cardealer/*• generic web:
curl -I https://example.com/vulnerable-page?param=<script>alert(1)</script>• wordpress / composer / npm:
wp plugin list --status=inactive | grep cardealer• wordpress / composer / npm:
wp plugin update cardealerdisclosure
漏洞利用状态
EPSS
0.04% (11% 百分位)
CISA SSVC
CVSS 向量
The most effective mitigation for CVE-2026-24391 is to immediately upgrade the ThemeMakers Car Dealer plugin to version 1.6.8 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious input. Specifically, look for patterns indicative of XSS payloads, such as <script> tags or event handlers. Input validation and output encoding on the server-side can also help prevent XSS, but this is a more complex workaround. Regularly scan your WordPress installation for vulnerable plugins using a security scanner.
Update to version 1.6.8, or a newer patched version
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-24391 is a Reflected XSS vulnerability in the ThemeMakers Car Dealer WordPress plugin, allowing attackers to inject malicious scripts into web pages.
You are affected if you are using ThemeMakers Car Dealer versions 0.0.0 through 1.6.7. Upgrade to 1.6.8 to mitigate the risk.
Upgrade the ThemeMakers Car Dealer plugin to version 1.6.8 or later. Consider WAF rules as a temporary workaround.
No active exploitation has been confirmed as of this writing, but the High severity score suggests potential for future attacks.
Refer to the ThemeMakers website or WordPress plugin repository for the latest advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。