Description
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary plugin installations due to a missing capability check in the mvl_setup_wizard_install_plugin() function in all versions up to, and including, 1.4.64. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins on the affected site's server which may make remote code execution possible.
Published: 2025-04-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Plugin Installation leading to potential remote code execution
Action: Upgrade
AI Analysis

Impact

The vulnerable function in the Motors – Car Dealership & Classified Listings Plugin allows authenticated users with Subscriber-level access or higher to install and activate any WordPress plugin. Because the code does not verify that the user possesses the capability to manage plugins, an attacker can bootstrap malicious plugin code onto the site. The presence of arbitrary code in a plugin can grant the attacker full control over the site’s filesystem and execution environment, potentially enabling remote code execution.

Affected Systems

All WordPress sites running the Motors – Car Dealership & Classified Listings Plugin version 1.4.64 or earlier are affected. The issue was discovered in the setup wizard’s AJAX action handler and is present in all releases up to and including 1.4.64.

Risk and Exploitability

The CVSS score of 8.8 reflects a high severity. The EPSS score is < 1%, indicating that exploitation is currently unlikely, and the vulnerability is not listed in CISA KEV. The attack requires authentication as a Subscriber or higher, but because the capability check is omitted, an attacker only needs to be a logged‑in user, making the vulnerability relatively easy to exploit in a compromised or widely accessible site.

Generated by OpenCVE AI on April 21, 2026 at 21:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Motors – Car Dealership & Classified Listings Plugin to version 1.4.65 or newer to eliminate the missing capability check
  • If an upgrade cannot be performed immediately, restrict the capability to install plugins by editing user roles so that only administrators retain this right
  • After installing the patched version, audit the site's user roles to verify that no unintended users have plugin installation privileges
  • Continuously monitor WordPress error logs and audit trails for any unauthorized plugin installation attempts

Generated by OpenCVE AI on April 21, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10319 The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary plugin installations due to a missing capability check in the mvl_setup_wizard_install_plugin() function in all versions up to, and including, 1.4.64. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins on the affected site's server which may make remote code execution possible.
History

Fri, 08 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Stylemixthemes
Stylemixthemes motors - Car Dealer\, Classifieds \& Listing
CPEs cpe:2.3:a:stylemixthemes:motors_-_car_dealer\,_classifieds_\&_listing:*:*:*:*:*:wordpress:*:*
Vendors & Products Stylemixthemes
Stylemixthemes motors - Car Dealer\, Classifieds \& Listing

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00321}

 epss

{'score': 0.00113}

Tue, 08 Apr 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 08 Apr 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary plugin installations due to a missing capability check in the mvl_setup_wizard_install_plugin() function in all versions up to, and including, 1.4.64. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins on the affected site's server which may make remote code execution possible.
Title Motors – Car Dealership & Classified Listings Plugin <= 1.4.64 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Stylemixthemes Motors - Car Dealer\, Classifieds \& Listing
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:00:54.452Z

Reserved: 2025-03-25T22:04:46.455Z

Link: CVE-2025-2807

cve-icon Vulnrichment

Updated: 2025-04-08T13:09:13.187Z

cve-icon NVD

Status : Analyzed

Published: 2025-04-08T10:15:16.780

Modified: 2025-08-08T20:02:34.773

Link: CVE-2025-2807

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:30:45Z

Weaknesses