A critical privilege escalation vulnerability exists in the WP CarDealer plugin for WordPress, affecting all versions up to and including 1.2.16. This flaw allows an unauthenticated attacker to register a new user account with full administrator privileges, leading to a complete compromise of the affected website. Successful exploitation grants the attacker total control over the site's content, users, and underlying server functions.

The vulnerability is located in the WP_CarDealer_User::process_register function, which handles new user registrations. This function fails to properly validate or restrict the user role that can be assigned during the registration process. An unauthenticated attacker can exploit this by sending a crafted registration request that includes a parameter specifying the desired user role as 'administrator'. Because the plugin does not check if the supplied role is permissible, it processes the request and creates a new user with full administrative privileges on the WordPress site.

This vulnerability is rated as critical severity with a CVSS score of 9.8, reflecting the extreme risk it poses to an organization. An attacker who successfully exploits this flaw gains complete administrative control over the WordPress website. This can lead to severe business consequences, including website defacement, theft of sensitive customer or business data, injection of malware to attack site visitors, and using the compromised server for further malicious activities. The potential impact includes significant reputational damage, financial loss, and legal or regulatory penalties related to data breaches.

Immediate Action: Immediately update The WP CarDealer plugin for WordPress is vulnerable to Privilege Escalation in all versions up Multiple Products to the latest version available from the vendor (a version later than 1.2.16). After updating, thoroughly review all user accounts, especially those with administrator privileges, to identify and remove any unauthorized accounts created by attackers. Review server access logs for suspicious registration activity.

Proactive Monitoring: Monitor user registration logs for any attempts to create users with elevated roles such as 'administrator', 'editor', or 'author'. Implement alerts for the creation of any new administrator-level accounts. Use a Web Application Firewall (WAF) to monitor and log POST requests to the user registration endpoint, specifically looking for parameters attempting to set a user role.

Compensating Controls: If immediate patching is not feasible, consider these mitigating actions:

• Disable user registration functionality through the WP CarDealer plugin if it is not essential for business operations.
• Implement a Web Application Firewall (WAF) rule to inspect and block registration requests that contain a role parameter set to 'administrator' or other privileged roles.
• Restrict access to the registration page to only trusted IP addresses.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the fact that this vulnerability can be exploited by an unauthenticated attacker, immediate remediation is imperative. We strongly recommend that organizations using the affected WP CarDealer plugin apply the security update to a patched version without delay. Furthermore, it is crucial to conduct a security audit to ensure no unauthorized administrative accounts exist on the website, as the site may have already been compromised. Although not yet on the CISA KEV list, its critical nature demands it be treated with the highest priority.