Skip to main content

Motors (WordPress) CVE-2026-13114

| EUVDEUVD-2026-43130 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-11 Wordfence GHSA-3gm5-qvcv-5943
7.2
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Unauthenticated network injection (AV:N/AC:L/PR:N), but a victim must view the stored payload so UI:R; script runs in a different context (S:C) with limited C/I impact and no availability effect.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 03:46 vuln.today
CVE Published
Jul 11, 2026 - 02:31 cve.org
HIGH 7.2

DescriptionCVE.org

The Motors - Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Comment Content and User Biographical Info in all versions up to, and including, 1.4.112 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored cross-site scripting in the StyleMix Motors - Car Dealership & Classified Listings plugin for WordPress (all versions through 1.4.112) lets unauthenticated attackers persist malicious JavaScript through the Comment Content and User Biographical Info fields, which then executes in the browser of any visitor or administrator who views the affected page. The scope-changed CVSS 3.1 score of 7.2 reflects that injected script runs in a security context different from the vulnerable component. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach public comment or profile field
Delivery
Submit crafted XSS payload
Exploit
Payload stored by plugin (helpers.php sink)
Execution
Admin or visitor loads injected page
Persist
Script executes in victim browser
Impact
Steal session or forge admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires the ability to submit content into the plugin's Comment Content field or the WordPress User Biographical Info field on a site running Motors <= 1.4.112; per CVSS PR:N this injection can be performed by unauthenticated attackers, so no login is needed for the initial payload. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N describes network-reachable, low-complexity, unauthenticated exploitation with a scope change and low confidentiality/integrity impact - consistent with a classic stored XSS reported by a credible source (Wordfence). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker submits a listing/blog comment or edits a user biographical info field containing a crafted script payload (for example an event handler or <script> tag). The payload is stored and served to everyone who views the affected page, and when a logged-in administrator opens it the script executes in their session - enabling cookie/session theft or forged administrative actions. …
Remediation Upstream fix available (WordPress.org changeset 3594971); the released patched version number is not independently confirmed from the provided data, so update the Motors plugin to the latest available release above 1.4.112 published by StyleMix and verify the installed version afterward. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress deployments using StyleMix Motors plugin and disable it immediately to prevent further injection. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13114 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy