CVE-2025-14042 MEDIUM

CVE-2025-14042: Automotive Car Dealership Business WordPress Theme <= 13.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Portfolio Project Details

Vendor Themesuite

Product Automotive Car Dealership Business WordPress Theme

Weakness CWE-79 · XSS

Published May 29, 2026

Last update May 29, 2026

View on NVD All CVEs

CVSS base score

6.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

Description

The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Project Details' custom field in Portfolio Items in all versions up to, and including, 13.4.1. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'project_details' custom field. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Key dates

Disclosure timeline

May 29, 2026 CVE published

May 29, 2026 Record updated

Identifiers

CVE CVE-2025-14042

CWE CWE-79

CVSS 6.4 / MEDIUM

Affected versions

Vendor Themesuite

Product Automotive Car Dealership Business WordPress Theme

Affected ≤ 13.4.1