CVE-2025-3860
📋 TL;DR
The CarDealerPress WordPress plugin has a stored XSS vulnerability in the 'saleclass' parameter that allows authenticated attackers with Contributor access or higher to inject malicious scripts. These scripts execute when users view affected pages, potentially compromising visitor browsers. All WordPress sites using this plugin up to version 6.7.2504.00 are affected.
💻 Affected Systems
- WordPress CarDealerPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, redirect users to malicious sites, deface websites, or install malware on visitor systems through persistent script execution.
Likely Case
Session hijacking, cookie theft, or website defacement by malicious contributors or compromised accounts.
If Mitigated
Limited to authenticated users only, with minimal impact if proper user access controls and content security policies are implemented.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once authenticated. The vulnerability is well-documented in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 6.7.2504.00
Vendor Advisory: https://wordpress.org/plugins/cardealerpress/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find CarDealerPress plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and remove plugin until patched version is released.
🔧 Temporary Workarounds
Remove Contributor Access
allTemporarily remove Contributor role access or restrict to trusted users only
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or add to WordPress functions.php: header("Content-Security-Policy: default-src 'self'; script-src 'self'");
🧯 If You Can't Patch
- Deactivate and remove the CarDealerPress plugin immediately
- Implement strict user access controls and monitor contributor activities
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for CarDealerPress version. If version is 6.7.2504.00 or lower, you are vulnerable.Check Version:
wp plugin list --name=cardealerpress --field=version (if WP-CLI installed)Verify Fix Applied:
After update, verify CarDealerPress plugin version is higher than 6.7.2504.00 in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to pages with 'saleclass' parameter
- Multiple failed login attempts followed by successful Contributor login
- Suspicious script tags in database content fields
Network Indicators:
- Outbound connections to unknown domains from your WordPress site
- Unexpected script loads from external sources
SIEM Query:
source="wordpress.log" AND ("saleclass" OR "cardealerpress") AND ("script" OR "alert" OR "onerror")