Skip to main content

Car Zone CVE-2025-69139

| EUVDEUVD-2025-210206 HIGH
Path Traversal (CWE-22)
2026-06-16 Patchstack
8.6
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
vuln.today AI
8.6 HIGH

Unauthenticated network request triggers file deletion (AV:N/AC:L/PR:N/UI:N); impact crosses theme to WordPress core (S:C); only availability is affected (C:N/I:N/A:H).

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:57 vuln.today

DescriptionCVE.org

Unauthenticated Arbitrary File Deletion in Car Zone <= 3.7 versions.

AnalysisAI

Arbitrary file deletion in the Car Zone WordPress theme (versions through 3.7) by Aivah Themes lets remote, unauthenticated attackers remove files on the underlying server through a path-traversal flaw. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/A:H) reflects that file deletion crosses scope into the broader WordPress installation, enabling denial-of-service or forced reinstall scenarios. No public exploit identified at time of analysis and the CVE is not in CISA KEV.

Technical ContextAI

This is a CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - 'Path Traversal') issue in the Car Zone theme tracked under CPE cpe:2.3:a:aivahthemes:car_zone:*. Path-traversal bugs of this class in WordPress themes typically arise when a theme exposes an admin-ajax.php or REST handler that takes a filename parameter and passes it to unlink() or similar without canonicalising the path or restricting it to an allowed directory, allowing ../ sequences to escape the uploads or theme directory. Because WordPress runs the web server as a single OS user, deletion is bounded only by filesystem permissions of the PHP process, which usually has write access to wp-config.php, plugin files, and the uploads tree.

RemediationAI

No vendor-released patch version is identified in the supplied data - the Patchstack advisory is the only reference and it does not name a fixed release. Operators should monitor the Patchstack advisory (https://patchstack.com/database/wordpress/theme/carzone/vulnerability/wordpress-car-zone-theme-3-7-arbitrary-file-deletion-vulnerability) and the Aivah Themes vendor page for a release above 3.7, then upgrade immediately. Until a fix is published, compensating controls include putting the site behind a WAF rule that blocks ../ and URL-encoded traversal sequences (%2e%2e%2f, %2e%2e/) on theme AJAX and REST endpoints, restricting unauthenticated access to /wp-admin/admin-ajax.php actions registered by the theme via web-server ACLs, or temporarily switching to a different theme - note that WAF rules can produce false positives on benign query strings and switching themes will lose Car Zone's layout customisations. Make a verified offsite backup of wp-config.php and the uploads tree before exposing the site further.

Share

CVE-2025-69139 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy