Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
AV:N/PR:N confirmed by unauthenticated network-accessible AJAX handler; C:N because no data exposure is described; I:L and A:L match unauthorized modification and limited disruption impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in Motors <= 5.6.80 versions.
AnalysisAI
Broken access control in the Motors WordPress theme (by StyleMixThemes) versions 5.6.80 and earlier allows unauthenticated remote attackers to perform unauthorized actions, resulting in limited integrity and availability impact without requiring any credentials or user interaction. The vulnerability stems from CWE-862 (Missing Authorization), where specific theme functionality fails to enforce permission checks before executing sensitive operations. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires no authentication (PR:N per CVSS vector) and no user interaction (UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 6.5 (Medium) reflects a meaningful but bounded threat: the attack is fully remote, requires zero privileges, and has low complexity, but impact is capped at integrity:Low and availability:Low with no confidentiality breach (C:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker identifies a WordPress site running the Motors theme via passive fingerprinting (e.g., theme name in page source or HTTP headers) and sends a crafted HTTP POST request to the WordPress AJAX endpoint targeting the vulnerable handler. The missing authorization check allows the request to proceed, enabling the attacker to modify theme data or trigger a denial-of-service condition on specific theme functionality without supplying any credentials. … |
| Remediation | The primary remediation is to update the Motors theme to a version released after 5.6.80 - the exact patched version is not independently confirmed in the available intelligence data, but the Patchstack advisory at https://patchstack.com/database/wordpress/theme/motors/vulnerability/wordpress-motors-theme-5-6-80-broken-access-control-vulnerability should be consulted for the confirmed fix version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX action
Blind SQL injection in the StylemixThemes Motors WordPress plugin (versions up to and including 1.4.109) allows remote u
Local file inclusion in StylemixThemes Motors WordPress plugin versions up to and including 1.4.109 allows remote attack
Unauthorized data modification in the Motors car dealership and classified listings plugin for WordPress (versions <= 1.
Broken access control in the Motors WordPress plugin (StylemixThemes) prior to version 1.4.107 enables subscriber-level
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41337
GHSA-fmc6-6rcg-62mh