Stored Cross-Site Scripting in Automotive Car Dealership Theme

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.4

Stored Cross-Site Scripting in Automotive Car Dealership Theme

CVE-2025-14040

Summary

The Automotive Car Dealership Business WordPress Theme has a security flaw that allows attackers with contributor-level access to inject malicious code into the website. This code can execute when a user visits the affected page, potentially allowing the attacker to take control of the website. To fix this, update the theme to a version newer than 13.4 or remove the vulnerable custom fields.

Original title

Original description

The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Call to Action' custom fields in all versions up to, and including, 13.4. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'action_text', 'action_button_text', 'action_link', and 'action_class' custom fields. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

nvd CVSS3.1 6.4

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

Published: 27 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026