Impact
The vulnerability resides in the Motors – Car Dealership & Classified Listings Plugin for WordPress. It is an authorization bypass that permits authenticated users with Subscriber-level access or higher to alter the post meta of any car listing. An attacker can use a harvested nonce from their own listing to set the 'Sold' badge on another listing, and this action also removes the 'special_car' featured meta field. The flaw is a failure to verify the acting user’s authorization for the specific action, which leads to integrity compromise of listing data, potentially affecting the business of the vehicle sale platform.
Affected Systems
All installations of the Motors plugin version 1.4.111 and earlier are affected. The plugin is a WordPress add‑on developed by Stylemix for car dealership and classified listings.
Risk and Exploitability
With a CVSS score of 4.3 the vulnerability carries a medium severity rating. The EPSS score is not available, and it is not currently listed in CISA KEV. Exploitation requires an attacker to be an authenticated WordPress user with at least Subscriber privileges and to own an active listing, allowing them to harvest a valid nonce. Once a nonce is obtained, the attacker can replay the request targeting arbitrary listing post IDs. The attack vector is within the web application and requires only user authentication, making the risk accessible to any site that has the plugin installed and has users with Subscriber access.
OpenCVE Enrichment