CVE-2025-5322 is a high-severity vulnerability affecting the VikRentCar Car Rental Management System plugin for WordPress, developed by e4jvikwp. The vulnerability arises from the plugin's failure to properly validate file types during file upload operations within the do_updatecar and createcar functions. This flaw allows authenticated users with Administrator-level privileges or higher to upload arbitrary files to the server hosting the affected WordPress site. Since the plugin does not restrict or sanitize the file types being uploaded, attackers can potentially upload malicious files such as web shells or scripts that enable remote code execution (RCE). This could lead to full compromise of the web server, including unauthorized access to sensitive data, modification or deletion of content, and further lateral movement within the hosting environment. The vulnerability affects all versions of the VikRentCar plugin up to and including version 1.4.3. The CVSS v3.1 base score is 7.2, reflecting the network attack vector, low attack complexity, requirement for high privileges (administrator), no user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability's nature and ease of exploitation by privileged users make it a significant risk for sites using this plugin. The lack of a patch or update link indicates that mitigation may require manual intervention or vendor coordination.

For European organizations using WordPress sites with the VikRentCar plugin, this vulnerability poses a serious risk. Car rental businesses, travel agencies, and related service providers relying on this plugin could face unauthorized server compromise if an attacker gains administrator access, which might occur through credential theft, phishing, or insider threats. The impact includes potential data breaches involving customer personal information, financial data, or booking details, leading to regulatory non-compliance under GDPR. Additionally, attackers could deface websites, disrupt service availability, or use compromised servers as a foothold for further attacks within the corporate network. Given the critical role of car rental services in tourism and transportation sectors across Europe, exploitation could damage business reputation and cause operational downtime. The vulnerability's exploitation requires administrator privileges, which somewhat limits the attack surface but does not eliminate the risk, especially if credential hygiene is poor or insider threats exist.

European organizations should immediately audit their WordPress installations to identify the presence of the VikRentCar plugin and verify the version in use. Until an official patch is released, the following specific mitigations are recommended: 1) Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 2) Implement file integrity monitoring on the web server to detect unauthorized file uploads or modifications. 3) Employ web application firewalls (WAFs) with custom rules to block suspicious file upload attempts or execution of unauthorized scripts. 4) Disable or restrict the plugin’s file upload functionality if feasible, or replace the plugin with a more secure alternative. 5) Regularly review server logs for unusual activity related to file uploads or administrator actions. 6) Harden the web server environment by disabling execution permissions in upload directories and isolating WordPress files from other critical systems. 7) Maintain up-to-date backups to enable rapid recovery in case of compromise. Organizations should also monitor vendor communications for official patches and apply them promptly once available.