Cyber Resilience

CVE-2025-1282

High

Published: 27 February 2025

Published
27 February 2025
Modified
11 March 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0375 88.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1282 is a high-severity Path Traversal (CWE-22) vulnerability in Thememakers Car Dealer Automotive. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The Car Dealer Automotive WordPress Theme, a responsive theme for WordPress, contains a path traversal vulnerability (CWE-22) in the delete_post_photo() and add_car() functions. Insufficient file path validation affects all versions through 1.6.3 and enables arbitrary file operations on the server.

Authenticated users with Subscriber-level access or higher can exploit the flaw over the network to delete arbitrary files, which may result in remote code execution when critical files such as wp-config.php are removed. The add_car() function can additionally be abused to read arbitrary files on the server. The issue carries a CVSS 3.1 score of 8.8.

Public references point to the vendor’s ThemeForest listing and a detailed Wordfence advisory that describe the affected functions and the conditions required for exploitation.

EPSS probability for the CVE rose from lower values after disclosure to a recorded peak of 0.0559 on 2026-04-07 before receding to the current 0.0375, indicating a measurable increase in observed exploitation interest following publication.

EU & UK References

Vulnerability details

The Car Dealer Automotive WordPress Theme – Responsive theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_post_photo() and add_car() functions in all versions up to, and including, 1.6.3. This makes it…

more

possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The add_car() function may also make it possible to read arbitrary files.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path traversal in public-facing WordPress theme directly enables remote exploitation of the web application (T1190) with authenticated access, leading to arbitrary file operations and potential RCE via site compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-64075Shared CWE-22
CVE-2024-53537Shared CWE-22
CVE-2024-36512Shared CWE-22
CVE-2025-0493Shared CWE-22
CVE-2025-70231Shared CWE-22
CVE-2026-43888Shared CWE-22
CVE-2025-15031Shared CWE-22
CVE-2026-25785Shared CWE-22
CVE-2025-11366Shared CWE-22
CVE-2026-1810Shared CWE-22

Affected Assets

thememakers
car dealer automotive
≤ 1.6.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the insufficient file path validation in delete_post_photo() and add_car() functions that enables path traversal for arbitrary file deletion and reading.

prevent

Requires timely patching or removal of the vulnerable Car Dealer WordPress theme versions up to 1.6.3 to remediate the path traversal flaw.

prevent

Limits subscriber-level and higher users to least privilege, reducing the scope of exploitable arbitrary file operations even if path traversal occurs.

References