Description
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in the ajax_actions.php file in all versions up to, and including, 1.4.66. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute several initial set-up actions.
Published: 2025-04-08
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Modification
Action: Patch Plugin
AI Analysis

Impact

The vulnerability arises from a missing capability check in the ajax_actions.php file of the Motors – Car Dealership & Classified Listings Plugin. This omission allows any authenticated user with Subscriber-level access or higher to invoke several initial set‑up functions that were intended to be restricted to administrators. As a result, attackers can modify plugin configuration data, potentially altering listings, dealership information, or other critical settings without proper authorization.

Affected Systems

WordPress sites running stylemix:Motors – Car Dealership & Classified Listings Plugin versions up to and including 1.4.66 are affected. All installations of these versions are vulnerable to the unauthorized modification of data.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate risk, while the EPSS score of less than 1% suggests a low exploitation probability at the time of analysis. The vulnerability is not present in the CISA KEV catalog. Attackers must be authenticated but only need Subscriber-level privileges, which are commonly granted. An attacker who can log in as a Subscriber can trigger the set‑up actions that are currently missing authorization checks. Since the problem exists in all prior releases, the widest range of sites is potentially exploitable until the plugin is updated.

Generated by OpenCVE AI on April 20, 2026 at 23:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Motors – Car Dealership & Classified Listings Plugin to the latest available version that resolves the missing capability checks (e.g., 1.4.67 or later).
  • Verify that after the update, the set‑up actions are only executable by users with Administrator privileges and that no other role can invoke them.
  • Review any custom code or role‑capability modifications on the site to ensure no Subscriber or lower roles have been granted unauthorized permissions to trigger plugin configuration changes.

Generated by OpenCVE AI on April 20, 2026 at 23:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10315 The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in the ajax_actions.php file in all versions up to, and including, 1.4.66. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute several initial set-up actions.
History

Fri, 08 Aug 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Stylemixthemes
Stylemixthemes motors - Car Dealer\, Classifieds \& Listing
CPEs cpe:2.3:a:stylemixthemes:motors_-_car_dealer\,_classifieds_\&_listing:*:*:*:*:*:wordpress:*:*
Vendors & Products Stylemixthemes
Stylemixthemes motors - Car Dealer\, Classifieds \& Listing

Tue, 08 Apr 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 08 Apr 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in the ajax_actions.php file in all versions up to, and including, 1.4.66. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute several initial set-up actions.
Title Motors – Car Dealership & Classified Listings Plugin <= 1.4.66 - Missing Authorization to Authenticated (Subscriber+) Wizard Set-up
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Stylemixthemes Motors - Car Dealer\, Classifieds \& Listing
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:24:54.886Z

Reserved: 2025-04-07T20:36:53.998Z

Link: CVE-2025-3437

cve-icon Vulnrichment

Updated: 2025-04-08T13:05:06.470Z

cve-icon NVD

Status : Analyzed

Published: 2025-04-08T10:15:19.413

Modified: 2025-08-08T19:48:23.283

Link: CVE-2025-3437

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:30:16Z

Weaknesses