Description
Authorization Bypass Through User-Controlled Key vulnerability in Stylemix Motors motors-car-dealership-classified-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Motors: from n/a through <= 1.4.80.
Published: 2025-08-14
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Insecure Direct Object Reference (IDOR), allowing an attacker to manipulate a user-controlled key to bypass access controls. This flaw can grant unauthorized access to other vehicle listings, reviews, or administrative settings within the Stylemix Motors plugin, potentially compromising confidentiality, integrity, or availability of dealership data. The weakness is classified as CWE‑639, indicating that the software fails to correctly enforce authorization checks when processing user input.

Affected Systems

The affected component is the Stylemix Motors "motors‑car‑dealership‑classified‑listings" WordPress plugin, version 1.4.80 and earlier. No specific sub‑versions are listed, so all releases from the initial introduction up to and including 1.4.80 are susceptible.

Risk and Exploitability

The CVSS score is 5.3, indicating a moderate severity. The EPSS score is below 1%, suggesting a very low current probability of exploitation. The vulnerability is not listed in CISA KEV catalog. Exploitation would likely occur via a remote web request, with an attacker crafting a URL or form submission containing a manipulated key to access resources that belong to other users. No specific privilege escalation or code execution is required; the primary risk is unauthorized data access.

Generated by OpenCVE AI on April 30, 2026 at 03:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Stylemix Motors plugin to version 1.4.81 or later, where the IDOR issue is fixed.
  • If an upgrade is not immediately possible, restrict direct URL access to sensitive endpoints by applying role‑based access checks or using .htaccess rules to limit traffic to authorized users only.
  • Conduct a review of the plugin’s role and permission configuration, ensuring that only users with the correct capabilities can request vehicle listings, reviews, or administrative functions.

Generated by OpenCVE AI on April 30, 2026 at 03:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24703 Authorization Bypass Through User-Controlled Key vulnerability in Stylemix Motors allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Motors: from n/a through 1.4.80.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in Stylemix Motors allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Motors: from n/a through 1.4.80. Authorization Bypass Through User-Controlled Key vulnerability in Stylemix Motors motors-car-dealership-classified-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Motors: from n/a through <= 1.4.80.
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Sat, 16 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Stylemix
Stylemix motors
Wordpress
Wordpress wordpress
Vendors & Products Stylemix
Stylemix motors
Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in Stylemix Motors allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Motors: from n/a through 1.4.80.
Title WordPress Motors Plugin plugin <= 1.4.80 - Insecure Direct Object References (IDOR) Vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Stylemix Motors
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:35.044Z

Reserved: 2025-07-28T10:55:57.300Z

Link: CVE-2025-54691

cve-icon Vulnrichment

Updated: 2025-08-14T17:59:36.955Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:50.130

Modified: 2026-04-23T15:32:49.987

Link: CVE-2025-54691

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T03:45:06Z

Weaknesses