CVE-2025-13764

Critical CVSS: 9.8

The WP CarDealer plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.16. This is due to the 'WP_CarDealer_User::process_register' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.

Vendor

Product

CWE

CWE-269

Yayın Tarihi

2025-12-11 03:15:57

Güncelleme

2025-12-12 15:18:13

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-269 CRITICAL 2025

Referanslar

https://themeforest.net/item/boxcar-automotive-car-dealer-wordpress-theme/49741717 https://www.wordfence.com/threat-intel/vulnerabilities/id/f4893d9c-e039-43df-80b9-dbe42374caed?source=cve