The CarSpot – Dealership Wordpress Classified Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.4.3. This is due to the plugin not properly validating a token prior to updating a user's password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
The vulnerability results from lack of proper token validation before updating a user password. An unauthenticated attacker can send a password change request for any account, including administrative accounts, without needing a valid verification token. After changing the password, the attacker logs in to the compromised account and gains full access according to its permissions.
An attacker can take control of any user account, including administrator accounts, leading to complete compromise of the WordPress site — enabling installation of malicious code, modification of content, or data theft.
The CarSpot theme should be updated to a version higher than 2.4.3. Patches available from the vendor should be applied according to references. Until the update is applied, it is recommended to monitor access logs for unauthorized password changes.
CarSpot – Dealership WordPress Classified Theme in all versions up to and including 2.4.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCarspot Project Carspot
APPCarspot Project< 2.4.4