CVE-2025-1681

Name of the Vulnerable Software and Affected Versions Cardealer theme for WordPress versions up to, and including, 1.6.4

Description The issue is related to a missing capability check and missing filename sanitization on the demo theme scheme AJAX functions. This allows authenticated attackers with subscriber-level access and above to modify or delete arbitrary css and js files, resulting in unauthorized modification of data and potential loss of data.

Recommendations For versions up to, and including, 1.6.4, update to a version that includes the necessary capability checks and filename sanitization to prevent unauthorized modifications. As a temporary workaround, consider restricting access to the demo theme scheme AJAX functions to prevent exploitation by authenticated attackers.