Vulnerabilities and security researches forvikrentcar vikrentcar

Jun 06, 2024

CVE, Research URL: CVE-2023-23998
Home page URL: Security reports for VikRentCar Car Rental Management System
Application: VikRentCar Car Rental Management System
Date: Apr 06, 2023
Research Description: Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in E4J s.R.L. VikRentCar Car Rental Management System plugin <= 1.3.0 versions.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2021-24519
Home page URL: Security reports for VikRentCar Car Rental Management System
Application: VikRentCar Car Rental Management System
Date: Aug 16, 2021
Research Description: The VikRentCar Car Rental Management System WordPress plugin before 1.1.10 does not sanitise the 'Text Next to Icon' field when adding or editing a Characteristic, allowing high privilege users such as admin to use XSS payload in it, leading to an authenticated Stored Cross-Site Scripting issue
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-32780
Home page URL: Security reports for VikRentCar Car Rental Management System
Application: VikRentCar Car Rental Management System
Date: Apr 24, 2024
Research Description: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in E4J s.R.L. VikRentCar.This issue affects VikRentCar: from n/a through 1.3.2.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2021-24388
Home page URL: Security reports for VikRentCar Car Rental Management System
Application: VikRentCar Car Rental Management System
Date: Jul 06, 2021
Research Description: In the VikRentCar Car Rental Management System WordPress plugin before 1.1.7, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or escaped before being output back in the page, leading to a stored Cross-Site Scripting issue. There is also no CSRF check done before saving the setting, allowing attackers to make a logged in admin set arbitrary Custom Fields, including one with XSS payload in it.
Affected versions: Min -, max -.
Status: vulnerable

Jul 13, 2024

CVE, Research URL: CVE-2024-1845
Home page URL: Security reports for VikRentCar Car Rental Management System
Application: VikRentCar Car Rental Management System
Date: Jul 11, 2024
Research Description: The VikRentCar Car Rental Management System WordPress plugin before 1.3.2 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
Affected versions: Min -, max -.
Status: vulnerable

Aug 05, 2024

CVE, Research URL: CVE-2024-39653
Home page URL: Security reports for VikRentCar Car Rental Management System
Application: VikRentCar Car Rental Management System
Date: Aug 29, 2024
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in E4J s.R.L. VikRentCar allows SQL Injection.This issue affects VikRentCar: from n/a through 1.4.0.
Affected versions: Min -, max -.
Status: vulnerable

Mar 08, 2025

CVE, Research URL: CVE-2024-11640
Home page URL: Security reports for VikRentCar Car Rental Management System
Application: VikRentCar Car Rental Management System
Date: Mar 08, 2025
Research Description: The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing or incorrect nonce validation on the 'save' function. This makes it possible for unauthenticated attackers to change plugin access privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows attackers with subscriber-level privileges and above to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected versions: Min -, max -.
Status: vulnerable

Jul 04, 2025

CVE, Research URL: CVE-2025-5322
Home page URL: Security reports for VikRentCar Car Rental Management System
Application: VikRentCar Car Rental Management System
Date: Jul 04, 2025
Research Description: The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the do_updatecar and createcar functions in all versions up to, and including, 1.4.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible.
Affected versions: Min -, max -.
Status: vulnerable