CVE-2025-5322 is a high-severity vulnerability affecting the VikRentCar Car Rental Management System plugin for WordPress, maintained by e4jvikwp. The vulnerability stems from improper input validation, specifically the lack of file type validation in the plugin's do_updatecar and createcar functions across all versions up to and including 1.4.3. This flaw allows authenticated users with Administrator-level privileges or higher to upload arbitrary files to the web server hosting the affected WordPress site. Since the uploaded files can be of any type, attackers may upload malicious scripts or executables, potentially leading to remote code execution (RCE). The vulnerability is classified under CWE-434: Unrestricted Upload of File with Dangerous Type, which is a common vector for web application compromise. The CVSS 3.1 base score is 7.2, indicating a high severity level, with the attack vector being network-based (AV:N), low attack complexity (AC:L), requiring high privileges (PR:H), no user interaction (UI:N), and impacting confidentiality, integrity, and availability (C:H/I:H/A:H). Although no known exploits have been reported in the wild yet, the vulnerability presents a significant risk due to the potential for full system compromise if exploited. The absence of patch links suggests that a fix may not yet be publicly available, increasing the urgency for mitigation. This vulnerability is particularly critical because it requires administrative access, which, if compromised or misused, can lead to severe consequences including data theft, site defacement, or complete server takeover.

For European organizations using the VikRentCar plugin on WordPress, this vulnerability poses a substantial risk. Given the plugin's role in managing car rental operations, exploitation could lead to unauthorized access to sensitive customer data, including personal identification and payment information, violating GDPR and other data protection regulations. The ability to execute arbitrary code on the server could allow attackers to implant backdoors, disrupt service availability, or pivot to other internal systems, amplifying the damage. This is especially concerning for businesses in the travel and transportation sectors, which are critical infrastructure components in many European economies. The reputational damage and potential regulatory fines resulting from a breach could be severe. Additionally, the vulnerability could be leveraged in targeted attacks against high-profile rental agencies or used as a foothold in broader supply chain attacks. The requirement for administrator-level access somewhat limits exploitation to insiders or attackers who have already compromised credentials, but the impact remains high due to the level of control gained upon exploitation.

European organizations should immediately audit their WordPress installations to identify the presence of the VikRentCar plugin and verify the version in use. Until an official patch is released, the following specific mitigations are recommended: 1) Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms, including multi-factor authentication (MFA). 2) Implement web application firewalls (WAFs) with custom rules to detect and block suspicious file upload attempts, particularly those targeting the vulnerable plugin endpoints. 3) Employ file integrity monitoring to detect unauthorized changes or uploads in the web server directories. 4) Disable or restrict the execution of uploaded files in directories writable by the web server to prevent execution of malicious scripts. 5) Regularly review server logs for unusual activity related to file uploads or administrative actions. 6) Consider temporarily disabling the plugin if it is not essential or replacing it with a more secure alternative until a patch is available. 7) Maintain up-to-date backups and have an incident response plan ready to contain and remediate any potential compromise. These targeted actions go beyond generic advice by focusing on the specific attack vectors and operational context of the vulnerability.