16 matches found
CVE-2025-1681
The Cardealer theme for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check and missing filename sanitization on the demo theme scheme AJAX functions in versions up to, and including, 1.6.4. This makes it possible for authenticated...
CVE-2025-1682
The Cardealer theme for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.4 due to missing capability check on the 'savesettings' function. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the default user ro...
EUVD-2025-5485
Malicious code in bioql PyPI...
EUVD-2025-5486
Malicious code in bioql PyPI...
CVE-2025-1687
The Cardealer theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.4. This is due to missing nonce validation on the 'updateuserprofile' function. This makes it possible for unauthenticated attackers to update the user email and password via a forg...
CVE-2025-1687
The Cardealer theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.4. This is due to missing nonce validation on the 'updateuserprofile' function. This makes it possible for unauthenticated attackers to update the user email and password via a forg...
CVE-2025-1682
The Cardealer theme for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.4 due to missing capability check on the 'savesettings' function. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the default user ro...
CVE-2025-1681
The Cardealer theme for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check and missing filename sanitization on the demo theme scheme AJAX functions in versions up to, and including, 1.6.4. This makes it possible for authenticated...
CVE-2025-1687 Cardealer <= 1.6.4 - Cross-Site Request Forgery to User Update via update_user_profile
The Cardealer theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.4. This is due to missing nonce validation on the 'updateuserprofile' function. This makes it possible for unauthenticated attackers to update the user email and password via a forg...
CVE-2025-1682 Cardealer <= 1.6.4 - Arbitrary Theme Option Update to Authenticated (Subscriber+) Privilege Escalation
The Cardealer theme for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.4 due to missing capability check on the 'savesettings' function. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the default user ro...
CVE-2025-1687
CVE-2025-1687 affects the Cardealer WordPress theme (
CVE-2025-1681 Cardealer <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Change and Delete JS and CSS Files
The Cardealer theme for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check and missing filename sanitization on the demo theme scheme AJAX functions in versions up to, and including, 1.6.4. This makes it possible for authenticated...
CVE-2025-1681 Cardealer <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Change and Delete JS and CSS Files
The Cardealer theme for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check and missing filename sanitization on the demo theme scheme AJAX functions in versions up to, and including, 1.6.4. This makes it possible for authenticated...
CVE-2025-1681
CVE-2025-1681 (Cardealer theme, WordPress) affects Cardealer up to version 1.6.4. The issue stems from a missing capability check and missing filename sanitization in the demo theme scheme AJAX functions, enabling authenticated attackers (subscriber level and above) to change or delete arbitrary ...
WordPress Cardealer theme <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Change and Delete JS and CSS Files vulnerability
Missing Authorization to Authenticated Subscriber+ Change and Delete JS and CSS Files vulnerability discovered by István Márton in WordPress Theme Car Dealer versions = 1.6.4...
PT-2025-9039 · WordPress · Cardealer Theme
Name of the Vulnerable Software and Affected Versions: Cardealer theme for WordPress versions up to, and including, 1.6.4 Description: The Cardealer theme for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check and missing filename...