PT-2025-9040 · WordPress · Cardealer Theme For Wordpress

István Márton

Published

2025-02-27

Updated

2025-03-05

CVE-2025-1682

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Cardealer theme for WordPress versions up to, and including, 1.6.4

Description The issue is related to a missing capability check on the save settings function, which allows authenticated attackers with subscriber-level access and above to modify the default user role, thus enabling privilege escalation.

Recommendations For versions up to, and including, 1.6.4, consider disabling the save settings function until a patch is available to prevent exploitation. Restrict access to the settings modification functionality to minimize the risk of privilege escalation. Update to a version that includes a fix for the missing capability check on the save settings function.

Fix

LPE

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2025-1682

Affected Products

Cardealer Theme For Wordpress

PT-2025-9040 · WordPress · Cardealer Theme For Wordpress

CVE-2025-1682

Weakness Enumeration

Related Identifiers

Affected Products

References · 12