Medium severity6.4NVD Advisory· Published May 29, 2026· Updated May 29, 2026
CVE-2025-14042
CVE-2025-14042
Description
The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Project Details' custom field in Portfolio Items in all versions up to, and including, 13.4.1. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'project_details' custom field. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected products
2<=13.4.1+ 1 more
- (no CPE)range: <=13.4.1
- (no CPE)range: <=13.4.1
Patches
Vulnerability mechanics
References
2News mentions
2- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 25, 2026 to May 31, 2026)Wordfence Blog · Jun 4, 2026
- WordPress Plugin Batch: 25 CVEs Across 20+ Plugins Disclosed in Late May 2026Vypr Intelligence · May 31, 2026