CVE-2025-1282

Name of the Vulnerable Software and Affected Versions The Car Dealer Automotive WordPress Theme versions up to, and including, 1.6.3

Description The issue allows authenticated attackers with Subscriber-level access and above to delete arbitrary files on the server due to insufficient file path validation in the delete post photo() and add car() functions. This can lead to remote code execution when critical files, such as wp-config.php, are deleted. Additionally, the add car() function may enable the reading of arbitrary files.

Recommendations For versions up to, and including, 1.6.3, update to a version that includes a fix for the insufficient file path validation in the delete post photo() and add car() functions. As a temporary workaround, consider restricting access to these functions to prevent arbitrary file deletion and potential remote code execution.