CVE-2025-5322: VikRentCar WordPress Plugin Vulnerable to Arbitrary File Upload

VikRentCar Car Rental Management System, a WordPress plugin, is susceptible to arbitrary file uploads, potentially leading to Remote Code Execution (RCE). This vulnerability affects versions up to 1.4.3.

Vulnerability Details

• CVE ID: CVE-2025-5322
• Description: The VikRentCar plugin lacks proper file type validation, allowing authenticated administrators to upload arbitrary files. This could lead to remote code execution.
• CVSS Score: 7.2 HIGH
• CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
• CVSS Explanation: This score indicates a high severity vulnerability. It is remotely exploitable with low complexity, but requires administrator privileges. A successful exploit could result in complete compromise of confidentiality, integrity, and availability of the server.
• Exploit Requirements: Administrator-level access to the WordPress instance is required.
• Affected Vendor: VikRentCar
• Affected Product: VikRentCar Car Rental Management System
• Affected Version: Versions up to 1.4.3
• CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type
• CWE Explanation: This vulnerability arises from the failure to restrict the type of files that can be uploaded to the server. Attackers can exploit this by uploading malicious files, such as PHP scripts, that can then be executed by the server.

Timeline of Events

• Reported: Unknown
• Published: 2025-07-03
• Fixed: Unknown (Likely after 1.4.3)

Exploitability & Real-World Risk

The vulnerability is relatively straightforward to exploit given administrator access. A successful upload of a PHP shell or similar malicious file could allow an attacker to execute arbitrary code on the server, potentially leading to complete system compromise. This could be used for data theft, website defacement, or further attacks on the network.

Recommendations

• Update: Upgrade to the latest version of the VikRentCar plugin as soon as a patch is available.
• Principle of Least Privilege: Ensure users are assigned the minimum level of privileges required. Avoid granting administrator access unnecessarily.
• Web Application Firewall (WAF): Deploy a WAF with rules to prevent arbitrary file uploads.
• File Integrity Monitoring: Monitor file system for unexpected changes.

Technical Insight

The vulnerability stems from the lack of proper file type validation in the do_updatecar and createcar functions within the VikRentCar plugin. By bypassing existing checks or through the absence of checks altogether, an attacker can upload malicious files with extensions like .php, enabling remote code execution.

Credit to Researcher(s)

Wordfence

References

• Wordfence Advisory
• Vulnerable Code Location 1
• Vulnerable Code Location 2
• Code Change

Tags

CVE-2025-5322, VikRentCar, WordPress, Arbitrary File Upload, RCE, Plugin Vulnerability, Wordfence

Summary: The VikRentCar WordPress plugin is vulnerable to arbitrary file uploads by authenticated administrators, potentially leading to remote code execution. Update to the latest version immediately.

CVE ID: CVE-2025-5322

Risk Analysis: Successful exploitation could lead to complete system compromise, including data theft, website defacement, and further attacks on the network.

Recommendation: Update to the latest version of the VikRentCar plugin. Implement a Web Application Firewall (WAF) and follow the principle of least privilege.

Timeline

• 2025-07-03: CVE Published

References

• https://plugins.trac.wordpress.org/browser/vikrentcar/tags/1.4.3/admin/controller.php#L1418
• https://plugins.trac.wordpress.org/browser/vikrentcar/tags/1.4.3/admin/controller.php#L1698
• https://plugins.trac.wordpress.org/changeset/3317493/
• https://www.wordfence.com/threat-intel/vulnerabilities/id/5f837ba2-64a2-4d8e-8212-b646cb94b0d7?source=cve