Skip to main content

Motors WordPress Plugin CVE-2026-12435

| EUVDEUVD-2026-40935 MEDIUM
Missing Authorization (CWE-862)
2026-07-01 Wordfence GHSA-f64c-q58q-9942
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network-exploitable AJAX action; subscriber authentication required (PR:L); own-listing nonce precondition does not raise AC beyond Low given ease of listing submission; impact is integrity-only on target post data.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 08:35 vuln.today
CVE Published
Jul 01, 2026 - 07:53 nvd
MEDIUM 4.3

DescriptionCVE.org

The Motors - Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.111. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to mark or unmark any other user's car listing as sold by replaying a valid nonce harvested from their own listing against an arbitrary victim post ID, triggering a site-wide 'Sold' badge on the victim's listing and silently stripping its special_car featured post meta as a side effect. Exploitation requires the attacker to hold an active listing of their own (obtainable by a Subscriber via the plugin's add-listing form) in order to harvest a valid nonce for the 'stm_mark_as_sold_car' action, which can then be replayed against any other listing's post ID.

AnalysisAI

Authorization bypass in the Motors - Car Dealership & Classified Listings Plugin for WordPress allows authenticated subscriber-level users to arbitrarily mark any other user's vehicle listing as sold by replaying a harvested nonce against a victim's post ID. All plugin versions up to and including 1.4.111 are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register subscriber account on target site
Delivery
Submit own car listing to obtain listing management UI
Exploit
Harvest valid 'stm_mark_as_sold_car' nonce from own listing
Execution
Enumerate or guess victim listing post IDs
Persist
Replay nonce via AJAX against victim post IDs
Impact
Victim listings flagged as sold and featured meta stripped

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold an authenticated WordPress account at subscriber level or above on the target site; anonymous or unauthenticated attackers cannot exploit this vulnerability. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.3 (Medium) reflects a network-accessible, low-complexity attack requiring only subscriber-level authentication with no user interaction and limited integrity impact and no confidentiality or availability impact - the official vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N is consistent with the described behavior. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a WordPress site running the Motors plugin and submits their own vehicle listing using the plugin's public add-listing form, which grants access to the listing management UI. From that UI, the attacker captures the nonce value embedded in the 'Mark as Sold' action for their own listing, then crafts repeated AJAX POST requests replaying that nonce against the post IDs of competitor or victim listings, systematically marking them as sold and stripping their featured status without any further interaction from the victims.
Remediation Update the Motors plugin to a version beyond 1.4.111 as soon as a patched release is published to the WordPress plugin repository. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12435 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy