Skip to main content

Car Dealer CVE-2026-24391

| EUVDEUVD-2026-15575 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-7382-55cr-x89w
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15575
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeMakers Car Dealer cardealer allows Reflected XSS.This issue affects Car Dealer: from n/a through <= 1.6.7.

AnalysisAI

A reflected Cross-Site Scripting (XSS) vulnerability exists in ThemeMakers Car Dealer WordPress theme affecting versions up to and including 1.6.7. The vulnerability allows attackers to inject malicious scripts that execute in the browsers of users who click specially crafted links, potentially leading to session hijacking, credential theft, or malware distribution. No CVSS score, EPSS data, or KEV status is currently available, and the vulnerability has not been reported as actively exploited in public threat intelligence.

Technical ContextAI

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a reflected XSS attack vector. The affected product is the Car Dealer WordPress theme by ThemeMakers, identified via CPE cpe:2.3:a:thememakers:car_dealer:*:*:*:*:*:*:*:*. Reflected XSS occurs when unsanitized user input from HTTP request parameters is directly rendered into the HTML response without proper encoding or validation, allowing attackers to inject arbitrary JavaScript. This commonly affects WordPress themes that process query parameters or form inputs in page templates without utilizing WordPress sanitization functions such as sanitize_text_field(), esc_html(), or esc_attr().

RemediationAI

Update the Car Dealer theme to a patched version beyond 1.6.7 as soon as vendor updates become available; check the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/cardealer/vulnerability/wordpress-car-dealer-theme-1-6-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve and ThemeMakers' official website for patch availability. Until patching is feasible, implement WordPress security hardening measures including: enforce input validation and output encoding on all user-supplied data using WordPress functions like sanitize_text_field() and wp_kses_post(), disable the vulnerable theme if unused, implement a Web Application Firewall (WAF) to filter XSS payloads, and educate users to avoid clicking suspicious links, especially from untrusted sources. Additionally, consider restricting access to the WordPress admin panel via IP allowlisting and enable two-factor authentication for all administrative accounts to limit the impact of compromised sessions.

Share

CVE-2026-24391 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy