CVE-2025-1282
Published: 27 February 2025
Summary
CVE-2025-1282 is a high-severity Path Traversal (CWE-22) vulnerability in Thememakers Car Dealer Automotive. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The Car Dealer Automotive WordPress Theme, a responsive theme for WordPress, contains a path traversal vulnerability (CWE-22) in the delete_post_photo() and add_car() functions. Insufficient file path validation affects all versions through 1.6.3 and enables arbitrary file operations on the server.
Authenticated users with Subscriber-level access or higher can exploit the flaw over the network to delete arbitrary files, which may result in remote code execution when critical files such as wp-config.php are removed. The add_car() function can additionally be abused to read arbitrary files on the server. The issue carries a CVSS 3.1 score of 8.8.
Public references point to the vendor’s ThemeForest listing and a detailed Wordfence advisory that describe the affected functions and the conditions required for exploitation.
EPSS probability for the CVE rose from lower values after disclosure to a recorded peak of 0.0559 on 2026-04-07 before receding to the current 0.0375, indicating a measurable increase in observed exploitation interest following publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5116
Vulnerability details
The Car Dealer Automotive WordPress Theme – Responsive theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_post_photo() and add_car() functions in all versions up to, and including, 1.6.3. This makes it…
more
possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The add_car() function may also make it possible to read arbitrary files.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing WordPress theme directly enables remote exploitation of the web application (T1190) with authenticated access, leading to arbitrary file operations and potential RCE via site compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the insufficient file path validation in delete_post_photo() and add_car() functions that enables path traversal for arbitrary file deletion and reading.
Requires timely patching or removal of the vulnerable Car Dealer WordPress theme versions up to 1.6.3 to remediate the path traversal flaw.
Limits subscriber-level and higher users to least privilege, reducing the scope of exploitable arbitrary file operations even if path traversal occurs.