Description
Unauthenticated Broken Access Control in Motors <= 1.4.109 versions.
Published: 2026-06-25
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an unauthenticated broken access control flaw in the StylemixThemes Motors WordPress plugin through version 1.4.109. It allows an attacker without valid credentials to bypass the plugin’s authorization checks, potentially exposing or modifying protected data such as user accounts, listings, or other sensitive information. The weakness is classified as CWE-862, which highlights the absence of proper access control enforcement.

Affected Systems

WordPress sites that have the StylemixThemes Motors plugin version 1.4.109 or any earlier revision are affected. Sites using 1.4.110 or newer are not vulnerable because the vendor released a patch addressing the access‑control oversight.

Risk and Exploitability

The CVSS base score is 7.5, indicating a high severity consequence. The EPSS score is not available, so the current likelihood of exploitation is unknown, and the vulnerability is not listed in CISA’s KEV catalog. It is inferred that the likely attack vector involves interacting with the plugin’s exposed endpoints or API calls, enabling an attacker to exploit the flaw remotely without needing user authentication. Attackers can exploit the flaw remotely by interacting with the plugin’s exposed endpoints or API calls, requiring no user authentication. Overall, the risk to confidentiality, integrity, and availability is significant for affected sites.

Generated by OpenCVE AI on June 25, 2026 at 16:05 UTC.

Remediation

Vendor Solution

Update the WordPress Motors Plugin to the latest available version (at least 1.4.110).

OpenCVE Recommended Actions

  • Update the WordPress Motors plugin to version 1.4.110 or later as recommended by the vendor.
  • If immediate update is not feasible, consider disabling or removing the plugin and monitoring access logs for suspicious activity to mitigate the unauthorized access risk.
  • Maintain a routine process of updating all WordPress core files, themes, and plugins, and apply security best practices such as least privilege management and regular vulnerability scanning to reduce similar future risks.

Generated by OpenCVE AI on June 25, 2026 at 16:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Broken Access Control in Motors <= 1.4.109 versions.
Title WordPress Motors plugin <= 1.4.109 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-25T14:20:47.598Z

Reserved: 2026-06-16T09:21:51.802Z

Link: CVE-2026-54828

cve-icon Vulnrichment

Updated: 2026-06-25T14:20:44.468Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T16:15:15Z

Weaknesses