Description
The MotorDesk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the motordesk_admin_home function. This makes it possible for unauthenticated attackers to update the plugin's configuration settings, including the search page URI and custom template directory path via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-06-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The MotorDesk WordPress plugin suffers from a missing nonce validation in the motordesk_admin_home function, which permits an unauthenticated attacker to craft a forged HTTP request that an administrator can unknowingly submit. By doing so, the attacker can modify the plugin’s configuration settings, including the search page URI and the custom template directory path, without any form of authentication or authorization.

Affected Systems

Affected installations are those running MotorDesk plugin version 1.1.2 or earlier on any WordPress site. This includes all public or private servers where the plugin is active, with the vulnerability present in every code path that processes the admin home settings page.

Risk and Exploitability

The CVSS base score is 4.3, indicating moderate risk. The EPSS score is not reported, and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited known exploitation. The attack vector is a typical CSRF scenario that requires an administrator to interact with a crafted link or form; thus, the attacker gains only configuration‑level privileges, but these changes can be leveraged for defacement, redirect, or further compromise.

Generated by OpenCVE AI on June 24, 2026 at 09:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest MotorDesk plugin release (1.1.3 or newer) which adds nonce validation to the admin home action.
  • If an update cannot be performed immediately, restrict access to the WordPress admin area to trusted IP addresses and enforce multi‑factor authentication for administrators so that a forged request is less likely to be accepted.
  • Verify that all administrative requests include a valid nonce and audit other plugins for similar CSRF gaps; disable or patch any that are vulnerable.

Generated by OpenCVE AI on June 24, 2026 at 09:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The MotorDesk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the motordesk_admin_home function. This makes it possible for unauthenticated attackers to update the plugin's configuration settings, including the search page URI and custom template directory path via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title MotorDesk <= 1.1.2 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T12:38:12.957Z

Reserved: 2026-05-27T16:10:45.627Z

Link: CVE-2026-9724

cve-icon Vulnrichment

Updated: 2026-06-24T12:38:07.013Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:15:06Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)