Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Unauthenticated network request triggers file deletion (AV:N/AC:L/PR:N/UI:N); impact crosses theme to WordPress core (S:C); only availability is affected (C:N/I:N/A:H).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Arbitrary File Deletion in Car Zone <= 3.7 versions.
AnalysisAI
Arbitrary file deletion in the Car Zone WordPress theme (versions through 3.7) by Aivah Themes lets remote, unauthenticated attackers remove files on the underlying server through a path-traversal flaw. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/A:H) reflects that file deletion crosses scope into the broader WordPress installation, enabling denial-of-service or forced reinstall scenarios. No public exploit identified at time of analysis and the CVE is not in CISA KEV.
Technical ContextAI
This is a CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - 'Path Traversal') issue in the Car Zone theme tracked under CPE cpe:2.3:a:aivahthemes:car_zone:*. Path-traversal bugs of this class in WordPress themes typically arise when a theme exposes an admin-ajax.php or REST handler that takes a filename parameter and passes it to unlink() or similar without canonicalising the path or restricting it to an allowed directory, allowing ../ sequences to escape the uploads or theme directory. Because WordPress runs the web server as a single OS user, deletion is bounded only by filesystem permissions of the PHP process, which usually has write access to wp-config.php, plugin files, and the uploads tree.
RemediationAI
No vendor-released patch version is identified in the supplied data - the Patchstack advisory is the only reference and it does not name a fixed release. Operators should monitor the Patchstack advisory (https://patchstack.com/database/wordpress/theme/carzone/vulnerability/wordpress-car-zone-theme-3-7-arbitrary-file-deletion-vulnerability) and the Aivah Themes vendor page for a release above 3.7, then upgrade immediately. Until a fix is published, compensating controls include putting the site behind a WAF rule that blocks ../ and URL-encoded traversal sequences (%2e%2e%2f, %2e%2e/) on theme AJAX and REST endpoints, restricting unauthenticated access to /wp-admin/admin-ajax.php actions registered by the theme via web-server ACLs, or temporarily switching to a different theme - note that WAF rules can produce false positives on benign query strings and switching themes will lose Car Zone's layout customisations. Make a verified offsite backup of wp-config.php and the uploads tree before exposing the site further.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210206