EUVD-2025-19909CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Tags
Description
The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the do_updatecar and createcar functions in all versions up to, and including, 1.4.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible.
Analysis
The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the do_updatecar and createcar functions in all versions up to, and including, 1.4.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible.
Technical Context
Unrestricted file upload allows attackers to upload malicious files (web shells, executables) that can then be executed on the server. This vulnerability is classified as Unrestricted Upload of File with Dangerous Type (CWE-434).
Affected Products
Affected products: E4Jconnect Vikrentcar
Remediation
A vendor patch is available — apply it immediately. Validate file types by content (magic bytes), not just extension. Store uploads outside the web root. Use random filenames. Scan uploads for malware.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today