CVE-2025-3860 identifies a Stored Cross-Site Scripting (XSS) vulnerability in the CarDealerPress plugin for WordPress, a tool commonly used by automotive dealerships to manage online car listings. The vulnerability stems from improper neutralization of input during web page generation, specifically through the 'saleclass' parameter. This parameter is not sufficiently sanitized or escaped before being rendered in web pages, enabling an attacker with Contributor-level or higher privileges to inject arbitrary JavaScript code. Because the malicious script is stored persistently, it executes in the context of any user who views the infected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the victim. The attack vector requires network access (remote) and low complexity due to the low privilege required, but does not require user interaction once the malicious content is injected. The vulnerability affects all versions of CarDealerPress up to and including 6.7.2504.00. Although no public exploits have been reported, the vulnerability's presence in a widely used WordPress plugin makes it a significant risk. The CVSS 3.1 base score of 6.4 reflects the medium severity, with partial impacts on confidentiality and integrity, no impact on availability, and a scope change due to the potential for cross-user impact. The vulnerability was published on May 7, 2025, and is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation).

The primary impact of CVE-2025-3860 is the potential compromise of user confidentiality and integrity on websites using the vulnerable CarDealerPress plugin. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of other users, including administrators and customers, leading to session hijacking, credential theft, or unauthorized actions such as modifying listings or changing settings. While availability is not directly affected, the reputational damage and potential data breaches can be severe for affected organizations. This vulnerability could facilitate further attacks, including privilege escalation or lateral movement within the affected WordPress environment. Given that WordPress powers a significant portion of the web and CarDealerPress targets automotive dealerships, organizations in this sector are at risk of targeted exploitation. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with many contributors or weak access controls. The absence of known exploits in the wild suggests limited current exploitation but also highlights the importance of proactive mitigation before attackers develop weaponized payloads.

To mitigate CVE-2025-3860, organizations should immediately update the CarDealerPress plugin to a patched version once available. In the absence of an official patch, administrators should restrict Contributor-level and higher privileges to trusted users only and review existing user roles to minimize unnecessary access. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script injection attempts targeting the 'saleclass' parameter can provide temporary protection. Additionally, applying Content Security Policy (CSP) headers can reduce the impact of injected scripts by restricting script execution sources. Regularly auditing plugin configurations and user-generated content for suspicious code is recommended. Organizations should also monitor logs for unusual activities related to the plugin and educate contributors about safe input practices. Finally, consider isolating or sandboxing the WordPress environment to limit the scope of potential compromise.