Description
The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices.
Published: 2026-06-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Motors WordPress plugin before version 1.4.110 fails to enforce proper authorization and CSRF checks on its stm_ajax_add_a_car_media AJAX action. This omission allows any remote attacker to send a crafted request without authentication and alter arbitrary post metadata, including gallery entries, featured images, and in WooCommerce environments product prices. Such unauthorized changes could be used to deface a site, misrepresent products, or manipulate e‑commerce pricing for financial gain.

Affected Systems

All WordPress sites running the Motors plugin version earlier than 1.4.110 are vulnerable. Sites that also use WooCommerce are at particular risk because the same audit target can modify product prices. The vulnerability is present regardless of user role; any visitor can trigger the flawed AJAX endpoint.

Risk and Exploitability

The attack can be performed over any network interface exposing the site, with no authentication required and no reliance on client‑side cookies. No EPSS information is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The CVSS score of 5.3 indicates a moderate severity level, but the lack of safeguards combined with the ability to change e‑commerce pricing indicates a significant risk level, especially for business or merchant sites. Exploitation would likely occur by sending a POST request to the endpoint, thus the vector is network‑based and the threat is widespread.

Generated by OpenCVE AI on June 22, 2026 at 16:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Motors plugin to version 1.4.110 or later.
  • If an upgrade is not immediately possible, completely disable or delete the stm_ajax_add_a_car_media AJAX endpoint, or uninstall the Motors plugin.
  • Apply standard access‑control and CSRF checks to the endpoint by validating a logged‑in user and requiring a nonce token with each request.

Generated by OpenCVE AI on June 22, 2026 at 16:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Motors
Motors motors
Wordpress
Wordpress wordpress
Vendors & Products Motors
Motors motors
Wordpress
Wordpress wordpress

Mon, 22 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-352

Mon, 22 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-352

Mon, 22 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices.
Title Motors Car Dealership & Classified Listings < 1.4.110 - Unauthenticated Post-Meta Write via stm_ajax_add_a_car_media
References

Subscriptions

Motors Motors
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-22T12:50:05.276Z

Reserved: 2026-05-05T11:51:07.439Z

Link: CVE-2026-7859

cve-icon Vulnrichment

Updated: 2026-06-22T12:49:53.585Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:41:30Z

Weaknesses