MidnightBSD

Advisories for carspot_project

CVE-2019-15870 LOW

The CarSpot theme before 2.1.7 for WordPress has stored XSS via the Phone Number field.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
carspot_project carspot *
CVE-2024-12860

The CarSpot – Dealership Wordpress Classified Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.4.3. This is due to the plugin not properly validating a token prior to updating a user's password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@wordfence.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
carspot_project carspot *