Description
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.111. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to mark or unmark any other user's car listing as sold by replaying a valid nonce harvested from their own listing against an arbitrary victim post ID, triggering a site-wide 'Sold' badge on the victim's listing and silently stripping its special_car featured post meta as a side effect. Exploitation requires the attacker to hold an active listing of their own (obtainable by a Subscriber via the plugin's add-listing form) in order to harvest a valid nonce for the 'stm_mark_as_sold_car' action, which can then be replayed against any other listing's post ID.
Published: 2026-07-01
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Motors – Car Dealership & Classified Listings Plugin for WordPress. It is an authorization bypass that permits authenticated users with Subscriber-level access or higher to alter the post meta of any car listing. An attacker can use a harvested nonce from their own listing to set the 'Sold' badge on another listing, and this action also removes the 'special_car' featured meta field. The flaw is a failure to verify the acting user’s authorization for the specific action, which leads to integrity compromise of listing data, potentially affecting the business of the vehicle sale platform.

Affected Systems

All installations of the Motors plugin version 1.4.111 and earlier are affected. The plugin is a WordPress add‑on developed by Stylemix for car dealership and classified listings.

Risk and Exploitability

With a CVSS score of 4.3 the vulnerability carries a medium severity rating. The EPSS score is not available, and it is not currently listed in CISA KEV. Exploitation requires an attacker to be an authenticated WordPress user with at least Subscriber privileges and to own an active listing, allowing them to harvest a valid nonce. Once a nonce is obtained, the attacker can replay the request targeting arbitrary listing post IDs. The attack vector is within the web application and requires only user authentication, making the risk accessible to any site that has the plugin installed and has users with Subscriber access.

Generated by OpenCVE AI on July 1, 2026 at 12:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Motors plugin to the latest release (version 1.4.112 or newer).
  • If an immediate upgrade is not possible, disable the 'add listing' and 'mark as sold' features for Subscriber roles until a patch is applied.
  • Revoke or lock compromised user accounts that may have harvested nonces, and review site activity logs for suspicious listing modifications.

Generated by OpenCVE AI on July 1, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 08:15:00 +0000

Type Values Removed Values Added
Description The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.111. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to mark or unmark any other user's car listing as sold by replaying a valid nonce harvested from their own listing against an arbitrary victim post ID, triggering a site-wide 'Sold' badge on the victim's listing and silently stripping its special_car featured post meta as a side effect. Exploitation requires the attacker to hold an active listing of their own (obtainable by a Subscriber via the plugin's add-listing form) in order to harvest a valid nonce for the 'stm_mark_as_sold_car' action, which can then be replayed against any other listing's post ID.
Title Motors <= 1.4.111 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Modification via 'stm_mark_as_sold_car' Parameter
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-01T10:32:04.521Z

Reserved: 2026-06-16T18:34:03.436Z

Link: CVE-2026-12435

cve-icon Vulnrichment

Updated: 2026-07-01T10:30:38.565Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T13:00:15Z

Weaknesses