Description
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Phone Number parameter in all versions up to, and including, 1.4.63 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-04-08
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The plugin accepts a Phone Number field that is not sanitized or escaped, allowing an authenticated Subscriber or higher to store arbitrary script code. After injection, the malicious code runs in the browser of any visitor who views the affected page, potentially leaking session cookies, defacing the site, or enabling further attacks.

Affected Systems

WordPress plugin Motors – Car Dealership & Classified Listings by Stylemix Themes. Versions up to 1.4.63 (inclusive) are vulnerable.

Risk and Exploitability

With a CVSS score of 5.4 the flaw is considered moderate. The EPSS score of less than 1% indicates a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to be logged in with Subscriber‑level or higher privileges and to create or modify a phone number record; subsequent victims only need to view the injected page.

Generated by OpenCVE AI on April 21, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Motors plugin to version 1.4.64 or later.
  • Delete any phone number entries that contain script content or reset phone number fields to non‑script values.
  • Limit Subscriber‑level access to the phone number entry feature or deactivate the plugin for non‑admin users until the patch is applied.

Generated by OpenCVE AI on April 21, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10320 The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Phone Number parameter in all versions up to, and including, 1.4.63 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Fri, 08 Aug 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Stylemixthemes
Stylemixthemes motors - Car Dealer\, Classifieds \& Listing
CPEs cpe:2.3:a:stylemixthemes:motors_-_car_dealer\,_classifieds_\&_listing:*:*:*:*:*:wordpress:*:*
Vendors & Products Stylemixthemes
Stylemixthemes motors - Car Dealer\, Classifieds \& Listing

Tue, 08 Apr 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 08 Apr 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Phone Number parameter in all versions up to, and including, 1.4.63 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Motors – Car Dealership & Classified Listings Plugin <= 1.4.63 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Stylemixthemes Motors - Car Dealer\, Classifieds \& Listing
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:06:51.050Z

Reserved: 2025-03-25T22:09:49.097Z

Link: CVE-2025-2808

cve-icon Vulnrichment

Updated: 2025-04-08T13:07:25.955Z

cve-icon NVD

Status : Analyzed

Published: 2025-04-08T10:15:18.940

Modified: 2025-08-08T19:52:54.783

Link: CVE-2025-2808

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:30:45Z

Weaknesses