The Motors WordPress plugin before version 1.4.110 fails to enforce proper authorization and CSRF checks on its stm_ajax_add_a_car_media AJAX action. This omission allows any remote attacker to send a crafted request without authentication and alter arbitrary post metadata, including gallery entries, featured images, and in WooCommerce environments product prices. Such unauthorized changes could be used to deface a site, misrepresent products, or manipulate e‑commerce pricing for financial gain.

All WordPress sites running the Motors plugin version earlier than 1.4.110 are vulnerable. Sites that also use WooCommerce are at particular risk because the same audit target can modify product prices. The vulnerability is present regardless of user role; any visitor can trigger the flawed AJAX endpoint.

The attack can be performed over any network interface exposing the site, with no authentication required and no reliance on client‑side cookies. No EPSS information is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The CVSS score is not supplied, but the lack of safeguards combined with the ability to change e‑commerce pricing indicates a significant risk level, especially for business or merchant sites. Exploitation would likely occur by sending a POST request to the endpoint, thus the vector is network‑based and the threat is widespread.