WP-Safety

CarDealerPress Security & Risk Analysis

wordpress.org/plugins/cardealerpress

In order to use CarDealerPress a subscription is required with DealerTrend. The plugin utilizes their API to pull automotive data.

30 active installs v6.9.2604.00 PHP 7.4+ WP 6.0+ Updated Apr 9, 2026
automotivecardealerpresscarsdealerdealertrend
99
A · Safe
CVEs total2
Unpatched0
Last CVEMay 6, 2025
Plugin page Download
Safety Verdict

Is CarDealerPress Safe to Use in 2026?

Generally Safe

Score 99/100

CarDealerPress has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: May 6, 2025Updated 1mo ago
Risk Assessment

The cardealerpress plugin, version 6.9.2603.00, exhibits a mixed security posture. While it demonstrates good practices in areas like SQL query preparation (95%) and output escaping (96%), significant concerns arise from its attack surface. A notable 7 out of 12 entry points lack authentication checks, including all 7 AJAX handlers. This presents a considerable risk of unauthorized access and manipulation of plugin functionalities. The presence of a `unserialize` dangerous function, even without immediate taint flow indicators, is a red flag that could be exploited in conjunction with other vulnerabilities if user-controlled data is unserialized. The vulnerability history, while currently showing no unpatched CVEs, reveals a past of two medium severity vulnerabilities, both related to Cross-site Scripting. This pattern suggests a tendency for input sanitization issues, which, combined with the large number of unprotected entry points, could lead to future exploitable XSS or other injection vulnerabilities.

Key Concerns

  • AJAX handlers without authentication
  • Dangerous function: unserialize
  • Past XSS vulnerabilities indicate input sanitization issues
  • Bundled library: Select2 (potential for outdated version)
Vulnerabilities
2 published

CarDealerPress Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-3860medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CarDealerPress <= 6.8.2505.00 - Authenticated (Contributor+) Stored Cross-Site Scripting via saleclass Parameter

May 6, 2025 Patched in 6.8.2505.01 (8d)
CVE-2024-54325medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CarDealerPress <= 6.6.2410.02 - Reflected Cross-Site Scripting

Dec 11, 2024 Patched in 6.7.2411.00 (9d)
Version History

CarDealerPress Release Timeline

v6.9.2604.00Current
v6.9.2603.00
v6.8.2511.00
v6.8.2509.01
v6.8.2509.00
v6.8.2508.01
v6.8.2508.00
v6.8.2507.03
v6.8.2507.02
v6.8.2507.01
v6.8.2507.00
v6.8.2505.02
v6.8.2505.01
v6.8.2505.001 CVE
CVE-2025-3860
v6.7.2504.001 CVE
CVE-2025-3860
v6.7.2503.041 CVE
CVE-2025-3860
v6.7.2503.031 CVE
CVE-2025-3860
v6.7.2503.021 CVE
CVE-2025-3860
v6.7.2503.011 CVE
CVE-2025-3860
v6.7.2503.001 CVE
CVE-2025-3860
Code Analysis
Analyzed Mar 16, 2026

CarDealerPress Code Analysis

Dangerous Functions
1
Raw SQL Queries
5
100 prepared
Unescaped Output
25
676 escaped
Nonce Checks
8
Capability Checks
9
File Operations
0
External Requests
6
Bundled Libraries
1

Dangerous Functions Found

unserializeif ( ! empty( unserialize( $dealer['automalls'] ) ) ) {includes\database\class-inventory-handler.php:68

Bundled Libraries

Select2

SQL Query Safety

95% prepared105 total queries

Output Escaping

96% escaped701 total outputs
Attack Surface
7 unprotected

CarDealerPress Attack Surface

Entry Points12
Unprotected7

AJAX Handlers 7

authwp_ajax_sc_ajax_handleradmin\functions\class-main.php:145
noprivwp_ajax_sc_ajax_handleradmin\functions\class-main.php:152
authwp_ajax_saved_ajax_handleradmin\functions\class-main.php:163
noprivwp_ajax_saved_ajax_handleradmin\functions\class-main.php:170
authwp_ajax_extender_ajax_handleradmin\functions\class-main.php:182
noprivwp_ajax_extender_ajax_handleradmin\functions\class-main.php:189
authwp_ajax_admin_handle_requestincludes\init\class-admin-assets.php:65

Shortcodes 5

[inventory_list] includes\functions\class-shortcode.php:39
[inventory_detail] includes\functions\class-shortcode.php:40
[inventory_slider] includes\functions\class-shortcode.php:41
[inventory_counter] includes\functions\class-shortcode.php:42
[inventory_search] includes\functions\class-shortcode.php:43
WordPress Hooks 46
actioninitadmin\functions\class-main.php:57
actioncdp_cron_inventory_updateadmin\functions\class-main.php:64
actionadmin_noticesadmin\functions\class-main.php:91
actionrewrite_rules_arrayadmin\functions\class-main.php:138
actioninitadmin\functions\class-main.php:139
filterwpseo_sitemap_indexadmin\functions\class-main.php:200
filterrank_math/sitemap/indexadmin\functions\class-main.php:214
filterredirect_canonicaladmin\functions\class-main.php:228
filtergform_pre_send_emailadmin\functions\class-main.php:229
filtergform_field_value_dt_external_user_idadmin\functions\class-main.php:245
filtergform_notificationadmin\functions\class-main.php:257
actionwp_before_admin_bar_renderadmin\functions\class-main.php:270
actionwp_headadmin\functions\class-main.php:274
actionsend_headersadmin\functions\class-main.php:278
filterwidget_textadmin\functions\class-main.php:461
actioninitincludes\abstracts\class-custom-taxonomy.php:82
actionadmin_initincludes\admin\class-admin-settings-page.php:24
actionadmin_menuincludes\admin\class-admin-settings-page.php:29
actionadmin_initincludes\admin\class-shortcode-settings-page.php:34
actionadmin_menuincludes\admin\class-shortcode-settings-page.php:38
actionadmin_initincludes\admin\class-theme-settings-page.php:41
actionadmin_menuincludes\admin\class-theme-settings-page.php:45
actioncdp_cron_log_file_refreshincludes\cron\class-cron.php:29
actioncdp_cron_company_handler_refreshincludes\cron\class-cron.php:56
actionprocess_single_dealer_eventincludes\database\class-inventory-handler.php:40
filtergform_field_value_dt_external_user_idincludes\functions\class-saved-ajax.php:58
actiontemplate_redirectincludes\functions\class-show-theme.php:64
actionwp_headincludes\functions\class-show-theme.php:108
filterwp_kses_allowed_htmlincludes\helpers\class-allowed-html.php:20
filterwp_kses_allowed_htmlincludes\helpers\class-allowed-html.php:21
filterwp_kses_allowed_htmlincludes\helpers\class-allowed-html.php:22
filterwp_kses_allowed_htmlincludes\helpers\class-allowed-html.php:23
filterwp_kses_allowed_htmlincludes\helpers\class-allowed-html.php:24
filtersafe_style_cssincludes\helpers\class-allowed-html.php:26
actionadmin_noticesincludes\helpers\class-checkrequirements.php:92
actionadmin_initincludes\helpers\class-checkrequirements.php:93
filterwpseo_robotsincludes\helpers\class-dynamic-site-headers.php:79
filterwp_robotsincludes\helpers\class-dynamic-site-headers.php:80
filterrank_math/frontend/robotsincludes\helpers\class-dynamic-site-headers.php:81
filterwp_titleincludes\helpers\class-dynamic-site-headers.php:157
filterpre_get_document_titleincludes\helpers\class-dynamic-site-headers.php:158
actionwp_headincludes\helpers\class-dynamic-site-headers.php:159
actionadmin_enqueue_scriptsincludes\init\class-admin-assets.php:20
actionadmin_enqueue_scriptsincludes\init\class-admin-assets.php:21
actionwp_headtemplates\inventory\invdb-index.php:380
actionget_headertemplates\shortcode\sc_inventory_detail.php:67

Scheduled Events 4

cdp_cron_inventory_update
cdp_cron_log_file_refresh
cdp_cron_company_handler_refresh
process_single_dealer_event
Maintenance & Trust

CarDealerPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 9, 2026
PHP min version7.4
Downloads23K

Community Trust

Rating84/100
Number of ratings5
Active installs30
Alternatives

CarDealerPress Alternatives

Vehizo

Vehizo

vehizo-vehicle-management

A
100

Professional vehicle management for WordPress. Perfect for car dealerships with advanced filtering and contact forms.

10 No CVEs
Motors VIN Decoder

Motors VIN Decoder

motors-vin-decoder

A
92

Motors VIN Decoder & Vehicle History Check is free plugin to decode your vehicle VIN. Free version is based on USA National Highway Traffic Safety &hellip;

500 No CVEs
Directorykit Car Dealer Addon

Directorykit Car Dealer Addon

directorykit-car-dealer-addon

A
100

Transforms WordPress into a car dealership portal with demo listings; fully customizable with Elementor for automotive sites.

30 No CVEs
Automotive Inventory Importer – Sync Car Dealer Feeds

Automotive Inventory Importer – Sync Car Dealer Feeds

automotive-feed-import

A
100

Sync your car dealer inventory from XML or CSV feeds to WordPress. Auto-import vehicles with field mapping, search, gallery & more.

10 No CVEs
Formulas

Formulas

formulas

A
85

Automotive formulas for car enthusiast web sites

10 No CVEs
Developer Profile

CarDealerPress Developer Profile

DealerTrend

1 plugin · 30 total installs

93
trust score
Avg Security Score
99/100
Avg Patch Time
9 days
View full developer profile
Detection Fingerprints

How We Detect CarDealerPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/cardealerpress/assets/css/style.css/wp-content/plugins/cardealerpress/assets/css/responsive.css/wp-content/plugins/cardealerpress/assets/css/cdp-custom.css/wp-content/plugins/cardealerpress/assets/css/cdp-swiper.css/wp-content/plugins/cardealerpress/assets/css/cdp-animate.css/wp-content/plugins/cardealerpress/assets/js/bootstrap.js/wp-content/plugins/cardealerpress/assets/js/cardealerpress.js/wp-content/plugins/cardealerpress/assets/js/cardealerpress-swiper.js+8 more
Script Paths
/wp-content/plugins/cardealerpress/assets/js/bootstrap.js/wp-content/plugins/cardealerpress/assets/js/cardealerpress.js/wp-content/plugins/cardealerpress/assets/js/cardealerpress-swiper.js/wp-content/plugins/cardealerpress/assets/js/bootstrap-datepicker.js/wp-content/plugins/cardealerpress/assets/js/cdp-custom.js/wp-content/plugins/cardealerpress/assets/js/jquery.form.js+1 more
Version Parameters
cardealerpress/assets/css/style.css?ver=cardealerpress/assets/css/responsive.css?ver=cardealerpress/assets/css/cdp-custom.css?ver=cardealerpress/assets/css/cdp-swiper.css?ver=cardealerpress/assets/css/cdp-animate.css?ver=cardealerpress/assets/js/bootstrap.js?ver=cardealerpress/assets/js/cardealerpress.js?ver=cardealerpress/assets/js/cardealerpress-swiper.js?ver=cardealerpress/assets/js/bootstrap-datepicker.js?ver=cardealerpress/assets/js/cdp-custom.js?ver=cardealerpress/assets/js/jquery.form.js?ver=cardealerpress/assets/js/select2.min.js?ver=cardealerpress/assets/css/bootstrap.css?ver=cardealerpress/assets/css/cdp-bootstrap-select.css?ver=cardealerpress/assets/css/bootstrap-datepicker.css?ver=cardealerpress/assets/css/select2.min.css?ver=

HTML / DOM Fingerprints

CSS Classes
cdp-banner-cdp-inventory-cdp-listing-cdp-widget-
HTML Comments
<!-- CarDealerPress Plugin --><!-- CarDealerPress Shortcode -->
Data Attributes
data-cdp-car-iddata-cdp-inventory-iddata-cdp-widget-id
JS Globals
cdp_ajax_objectcdp_varscardealerpress
REST Endpoints
/wp-json/cardealerpress/v1/
Shortcode Output
[cdp-listing][cdp-widget][cdp-banner][cdp-inventory]
FAQ

Frequently Asked Questions about CarDealerPress