ByteOS Network

themesuite

Source -

CNA

BOS Name -

N/A

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2025-14040

Assigner-Wordfence

View Details

Assigner-Wordfence

CVSS Score-6.4||MEDIUM

EPSS-0.02% / 6.02%

7 Day CHG~0.00%

Published-27 Feb, 2026 | 06:43

Updated-27 Feb, 2026 | 18:45

Automotive Car Dealership Business WordPress Theme <= 13.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Call to Action Fields

The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Call to Action' custom fields in all versions up to, and including, 13.4. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'action_text', 'action_button_text', 'action_link', and 'action_class' custom fields. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vendor-themesuite

Product-Automotive Car Dealership Business WordPress Theme

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2025-67928

Assigner-Patchstack

View Details

Assigner-Patchstack

CVSS Score-9.8||CRITICAL

EPSS-0.04% / 13.33%

7 Day CHG~0.00%

Published-08 Jan, 2026 | 09:17

Updated-20 Jan, 2026 | 15:19

WordPress Automotive Listings plugin <= 18.6 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in themesuite Automotive Listings automotive allows Blind SQL Injection.This issue affects Automotive Listings: from n/a through <= 18.6.

Vendor-themesuite

Product-Automotive Listings

CWE ID-CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')