The Automotive Car Dealership Business WordPress Theme suffers from a stored cross-site scripting vulnerability (CWE-79) in the 'project_details' custom field of Portfolio Items. This flaw allows authenticated users with contributor-level or higher permissions to inject arbitrary web scripts due to improper input neutralization and output escaping. When other users access the injected pages, the malicious scripts execute, potentially leading to session hijacking or other client-side attacks. The vulnerability affects all versions up to 13.4.1. The CVSS 3.1 base score is 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, and partial confidentiality and integrity impact. No vendor patch or official remediation is currently documented.

An attacker with contributor-level or higher privileges can inject persistent malicious scripts into Portfolio Item pages via the 'project_details' custom field. These scripts execute in the context of users viewing the affected pages, potentially compromising user sessions and data confidentiality and integrity. The vulnerability does not impact availability. There are no known active exploits reported. The medium severity reflects the need for authenticated access to exploit and the partial impact on confidentiality and integrity.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict contributor-level permissions to trusted users only and consider disabling or limiting use of the 'project_details' custom field in Portfolio Items. Employ web application firewalls (WAFs) that can detect and block XSS payloads as a temporary mitigation. Monitor for updates from the theme vendor regarding patches or official fixes.