Attack Vectors

CVE-2025-14040 is a medium-severity Stored Cross-Site Scripting (XSS) issue (CVSS 6.4) affecting the Automotive Car Dealership Business WordPress Theme (slug: automotive) in versions 13.4 and earlier. An attacker must already have a WordPress account with Contributor-level permissions or higher to exploit it.

The attack is carried out by placing malicious script content into the theme’s “Call to Action” custom fields (including action_text, action_button_text, action_link, and action_class). Once saved, that malicious code can execute automatically in visitors’ browsers whenever they load the affected page—potentially including staff who manage the website.

Official CVE record: https://www.cve.org/CVERecord?id=CVE-2025-14040

Security Weakness

The underlying weakness is insufficient input sanitization and output escaping for user-supplied values entered into the theme’s Call to Action fields. In practical terms, the site accepts certain content that should be treated as unsafe and then displays it on pages without properly neutralizing it.

Because this is stored XSS (not “reflected”), the injected content can persist on the site until it is removed—turning a single compromised contributor account into an ongoing risk for anyone who views the infected pages.

Remediation guidance from the source is to update to version 13.4.2 or newer of the Automotive Car Dealership Business WordPress Theme to address the issue.

Technical or Business Impacts

While this vulnerability is rated Medium, the business impact can be significant because website pages can be used as a delivery mechanism for unwanted actions in a user’s browser. Depending on who views an infected page, potential outcomes include:

Brand and revenue risk: On dealership sites, “Call to Action” areas are typically high-traffic and conversion-focused. An attacker could alter what users see (for example, changing button behavior or displayed messaging), redirect leads, or degrade trust at the point of conversion.

Account and data exposure risk: If an administrator or staff member views a compromised page while logged in, attackers may be able to leverage that session to perform actions as that user (the exact outcome depends on the broader site setup and browser protections). This can lead to content tampering, unauthorized plugin/theme changes, or further compromise.

Compliance and incident-response cost: Even without confirmed data loss, script injection on customer-facing pages can trigger internal incident handling, external notifications depending on your policies and jurisdiction, and potential scrutiny from partners if marketing pages are used to misdirect leads.

Source details (Wordfence): https://www.wordfence.com/threat-intel/vulnerabilities/id/0cd4b65d-b916-432f-bb59-d2f8a9aadeac

Similar Attacks

Stored XSS has been used in high-profile incidents to spread malicious code through trusted pages and sessions. A few well-known examples include:

The “Samy” MySpace worm (2005), which spread rapidly via stored script injection in user profiles.

The Twitter onMouseOver worm (2010), which leveraged script execution in user content to propagate and post automatically.