CVE-2025-1687: 
WordPress vulnerability analysis and mitigation

The Cardealer theme for WordPress is affected by a Cross-Site Request Forgery (CSRF) vulnerability in versions up to and including 1.6.4. The vulnerability was discovered and disclosed on February 27, 2025. The issue stems from missing nonce validation on the 'updateuserprofile' function, affecting the user profile update functionality (NVD).

The vulnerability is classified as a Cross-Site Request Forgery (CSRF) with a CVSS v3.1 Base Score of 8.8 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The issue is tracked as CWE-352 (Cross-Site Request Forgery). The vulnerability exists due to the absence of proper nonce validation in the 'updateuserprofile' function, which is responsible for handling user profile updates (NVD).

If successfully exploited, this vulnerability allows unauthenticated attackers to update user email addresses and passwords through forged requests. The attack requires social engineering, as the attacker must trick a site administrator into performing specific actions, such as clicking on a malicious link (NVD).

The vulnerability was addressed in version 1.6.5 of the Cardealer theme, released on January 26, 2025. Users are strongly advised to update to this version or later to protect against this security issue (Cardealer Changelog).