MEDIUM 6.4

CVE-2025-14042: Stored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1

The Automotive Car Dealership Business WordPress Theme contains a stored cross-site scripting (XSS) vulnerability affecting all versions through 13.4.1. An attacker with contributor-level or higher permissions can inject malicious scripts into Portfolio Item 'Project Details' fields. These scripts will execute when other users view the affected pages, potentially compromising visitor sessions, stealing credentials, or defacing content. The vulnerability stems from the theme's failure to properly sanitize and escape user input in a custom field.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Project Details' custom field in Portfolio Items in all versions up to, and including, 13.4.1. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'project_details' custom field. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This stored XSS vulnerability (CWE-79) exists in the 'project_details' custom field of Portfolio Items within the Automotive Car Dealership Business WordPress Theme. The theme does not adequately sanitize input or escape output on user-supplied attributes in this field. An authenticated attacker with contributor role or above can inject arbitrary JavaScript that persists in the database. The injected script executes in the browser context of any user who accesses a page containing the malicious Portfolio Item, allowing execution under that user's permissions and session context. The CVSS 3.1 score of 6.4 (MEDIUM) reflects network accessibility, low attack complexity, required authentication, and low-to-moderate impact on confidentiality and integrity without availability impact.

Business impact

A successful exploit could enable attackers to conduct phishing attacks, steal administrator credentials, inject malware links, or modify portfolio content visible to potential customers. For automotive dealerships relying on their website for sales leads and brand reputation, this could result in customer distrust, compliance violations if personal data is harvested, and operational disruption. Since the vulnerability requires only contributor-level access, insider threats or compromised lower-privileged accounts pose a realistic risk. Multi-site WordPress networks amplify exposure if a single compromised account affects many dealerships.

Affected systems

The Automotive Car Dealership Business WordPress Theme is affected in all versions up to and including 13.4.1. Vulnerability exists only when the theme is actively installed and used on WordPress sites. Any WordPress site using this theme with user roles that include contributor permissions or higher is at risk. WordPress multisite installations may face elevated risk if a single compromised account has site-wide privileges.

Exploitability

Exploitability is moderate. An attacker must already possess authenticated access with contributor-level permissions or above—this could be a hired consultant, compromised employee account, or malicious plugin introducing such a user. The attack requires no user interaction beyond normal site browsing; the XSS payload executes automatically when an administrator, editor, or other user views the affected Portfolio Item. No browser-specific vulnerabilities or user clicks are needed. However, the barrier to entry (requiring authentication) prevents unauthenticated mass exploitation.

Remediation

Update the Automotive Car Dealership Business WordPress Theme to a patched version released after 13.4.1. Verify the patch against the theme's official repository or vendor advisory. Until patching is possible, restrict contributor-level permissions to trusted users only, disable Portfolio Items if not actively used, and implement Web Application Firewall (WAF) rules to detect and block JavaScript injection patterns in POST requests to Portfolio Item fields. Consider using security plugins that sanitize custom fields on output.

Patch guidance

Check the theme's official WordPress.org repository or vendor support channels for version 13.5 or later, which should include sanitization and escaping fixes for the 'project_details' field. Apply patches promptly to all affected WordPress installations. Test patches in a staging environment first to ensure compatibility with custom portfolio queries or display logic. After patching, verify that Portfolio Items render correctly and that no JavaScript injection attempts are reflected in page source.

Detection guidance

Monitor for Portfolio Item modifications via WordPress audit logs, focusing on changes to 'project_details' custom field values containing script tags, event handlers (onclick, onload), or encoded JavaScript. Use WordPress security plugins to log and alert on contributor+ role assignments. Check page source of published Portfolio Items for unexpected <script> tags or suspicious event attributes. Query WordPress postmeta table for 'project_details' entries containing patterns like '<script', 'javascript:', or common XSS payloads. Alert if multiple Portfolio Items are modified in a short timeframe by a single low-privilege user.

Why prioritize this

Prioritize this vulnerability for organizations running the Automotive Car Dealership Business WordPress Theme in production. While CVSS 6.4 is rated MEDIUM, stored XSS affecting Portfolio Items—a public-facing feature—poses reputational and customer-facing risks that justify prompt attention. The barrier of requiring authenticated access reduces immediate mass-exploitation risk, but the ease of payload persistence and automatic execution upon page view makes it a meaningful security liability. Dealerships should patch within 2–4 weeks, contingent on business testing windows.

Risk score, explained

CVSS 3.1 score of 6.4 (MEDIUM) reflects: Attack Vector Network (AV:N)—exploitable over network; Attack Complexity Low (AC:L)—no special conditions needed; Privileges Required Low (PR:L)—contributor role minimum; User Interaction None (UI:N)—payload executes automatically; Scope Changed (S:C)—impacts other users' sessions; Confidentiality Low (C:L)—session hijacking or data theft possible; Integrity Low (I:L)—content modification possible; Availability None (A:N)—no DoS component. The score appropriately reflects that while an attacker can harm site visitors and integrity, the authentication requirement and lack of system-level impact limit severity. Organizations should weigh customer exposure and brand risk as qualitative factors beyond the numeric score.

Frequently asked questions

Can this vulnerability be exploited without WordPress admin access?

No. The vulnerability requires authenticated access at contributor level or higher. An attacker must have a valid WordPress user account with contributor, author, editor, or administrator permissions. This limits exploitation to insiders, compromised accounts, or users provisioned via plugins. Unauthenticated visitors cannot inject payloads.

If we disable the Portfolio feature, are we fully protected?

Yes, disabling or removing the Portfolio functionality eliminates the attack surface for this specific vulnerability. However, if Portfolio Items are already created, verify they are not accessible via direct URL or shortcode remnants before fully disabling. Check your theme documentation for safe Portfolio disabling procedures, and clear any cached Portfolio data.

Does this affect all WordPress sites, or only those using this specific theme?

Only WordPress sites with the Automotive Car Dealership Business WordPress Theme installed and active are affected. If your site uses a different theme, you are not vulnerable to this particular CVE. Verify your active theme in WordPress admin under Appearance > Themes.

What is the risk if we restrict contributor access until a patch is available?

Restricting contributor access is an effective interim control. You'll maintain Portfolio functionality for editors and admins while reducing the attack surface. The trade-off is reduced workflow flexibility if contributors regularly add portfolio content. Review your team's needs and consider re-enabling contributor access only after patching.

This analysis is provided for informational purposes to support security decision-making. SEC.co does not provide legal advice, and organizations should verify all patch versions and availability with official vendor sources before deployment. Testing in non-production environments is mandatory. Exploit code and weaponized proofs-of-concept are not provided. Organizations should consult WordPress security best practices and their own risk management policies when prioritizing remediation. Information accuracy is based on source data current as of the analysis date; subsequent vendor updates may supersede this guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).