CVE-2025-1682: 
WordPress vulnerability analysis and mitigation

The Cardealer WordPress theme contains a privilege escalation vulnerability (CVE-2025-1682) affecting versions up to and including 1.6.4. The vulnerability was discovered and disclosed on February 27, 2025, by security researcher István Márton from Wordfence (NVD).

The vulnerability stems from a missing capability check in the 'save_settings' function, which allows authenticated users with subscriber-level access or higher to modify the default user role. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The weakness is categorized as CWE-862: Missing Authorization (NVD).

The vulnerability allows authenticated attackers with subscriber-level privileges or higher to escalate their privileges by modifying the default user role. This could potentially give attackers administrative access to the WordPress site, leading to complete site compromise (NVD).

Website administrators running the affected versions of the Cardealer theme (versions up to and including 1.6.4) should update to the latest version when available. In the meantime, it is recommended to review and restrict user roles and permissions (Theme Changelog).