Cyber Resilience

CVE-2025-1682

High

Published: 28 February 2025

Published
28 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0007 21.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1682 is a high-severity Missing Authorization (CWE-862) vulnerability in Themeforest (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-1682 is a privilege escalation vulnerability in the Cardealer theme for WordPress, affecting versions up to and including 1.6.4. The issue arises from a missing capability check in the 'save_settings' function, classified as CWE-862 (Missing Authorization). It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to its potential for significant confidentiality, integrity, and availability impacts.

Authenticated attackers with subscriber-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction. Exploitation enables them to modify the default user role, allowing privilege escalation on the targeted WordPress site.

Advisories and patch information are available from referenced sources, including the theme's changelog at https://webtemplatemasters.com/cardealer/changelog/#v165 (noting version 1.6.5), Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/4e337281-f05e-486c-9491-161365af252a?source=cve, and the theme page at https://themeforest.net/item/car-dealer-automotive-wordpress-theme-responsive/8574708. Security practitioners should update to a patched version and review access controls for low-privilege users.

EU & UK References

Vulnerability details

The Cardealer theme for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.4 due to missing capability check on the 'save_settings' function. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify…

more

the default user role.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Missing authorization check enables authenticated low-privilege users to modify default roles for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-8547Shared CWE-862
CVE-2026-22172Shared CWE-862
CVE-2025-48574Shared CWE-862
CVE-2026-0026Shared CWE-862
CVE-2025-48578Shared CWE-862
CVE-2025-48634Shared CWE-862
CVE-2026-28193Shared CWE-862
CVE-2026-0845Shared CWE-862
CVE-2025-49723Shared CWE-862
CVE-2024-12171Shared CWE-862

Affected Assets

Themeforest
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the missing capability check by enforcing approved authorizations for logical access to modify settings.

prevent

Implements least privilege to restrict subscriber-level users from performing administrative actions like modifying default user roles.

prevent

Mandates timely flaw remediation, such as patching the Cardealer theme to version 1.6.5, to correct the missing authorization vulnerability.

References