CVE-2024-11640

HIGH 8.8

VikRentCar Car Rental Management System <= 1.4.2 - Cross-Site Request Forgery to Authenticated (Subscriber+) Arbitrary File Upload

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing or incorrect nonce validation on the 'save' function. This makes it possible for unauthenticated attackers to change plugin access privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows attackers with subscriber-level privileges and above to upload arbitrary files on the affected site's server which may make remote code execution possible.

CWE	CWE-352
Vendor	e4jvikwp
Product	vikrentcar car rental management system
Published	Mar 8, 2025
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for e4jvikwp vikrentcar car rental management system

Be the first to know when new high vulnerabilities affecting e4jvikwp vikrentcar car rental management system are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

e4jvikwp / VikRentCar Car Rental Management System

0 ≤ 1.4.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/4a4c085a-1601-4c1a-ac17-0f2cf5d02489?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3225040/vikrentcar

Credits

Noah Stead