Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Network-exploitable AJAX action; subscriber authentication required (PR:L); own-listing nonce precondition does not raise AC beyond Low given ease of listing submission; impact is integrity-only on target post data.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Motors - Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.111. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to mark or unmark any other user's car listing as sold by replaying a valid nonce harvested from their own listing against an arbitrary victim post ID, triggering a site-wide 'Sold' badge on the victim's listing and silently stripping its special_car featured post meta as a side effect. Exploitation requires the attacker to hold an active listing of their own (obtainable by a Subscriber via the plugin's add-listing form) in order to harvest a valid nonce for the 'stm_mark_as_sold_car' action, which can then be replayed against any other listing's post ID.
AnalysisAI
Authorization bypass in the Motors - Car Dealership & Classified Listings Plugin for WordPress allows authenticated subscriber-level users to arbitrarily mark any other user's vehicle listing as sold by replaying a harvested nonce against a victim's post ID. All plugin versions up to and including 1.4.111 are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold an authenticated WordPress account at subscriber level or above on the target site; anonymous or unauthenticated attackers cannot exploit this vulnerability. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 4.3 (Medium) reflects a network-accessible, low-complexity attack requiring only subscriber-level authentication with no user interaction and limited integrity impact and no confidentiality or availability impact - the official vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N is consistent with the described behavior. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free subscriber account on a WordPress site running the Motors plugin and submits their own vehicle listing using the plugin's public add-listing form, which grants access to the listing management UI. From that UI, the attacker captures the nonce value embedded in the 'Mark as Sold' action for their own listing, then crafts repeated AJAX POST requests replaying that nonce against the post IDs of competitor or victim listings, systematically marking them as sold and stripping their featured status without any further interaction from the victims. |
| Remediation | Update the Motors plugin to a version beyond 1.4.111 as soon as a patched release is published to the WordPress plugin repository. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Arbitrary file deletion in the Motors - Car Dealership & Classified Listings Plugin for WordPress (versions up to and in
Stored cross-site scripting in the StyleMix Motors - Car Dealership & Classified Listings plugin for WordPress (all vers
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40935
GHSA-f64c-q58q-9942