Skip to main content

Motors WordPress Plugin CVE-2026-39515

| EUVDEUVD-2026-36954 MEDIUM
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-c744-86vr-w8f4
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Subscriber authentication required (PR:L) over network (AV:N); impact confined to availability (A:H) with no confidentiality or integrity impact confirmed.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 23:13 vuln.today
Patch available
Jun 15, 2026 - 22:02 EUVD

DescriptionCVE.org

Subscriber Broken Access Control in Motors < 1.4.107 versions.

AnalysisAI

Broken access control in the Motors WordPress plugin (StylemixThemes) prior to version 1.4.107 enables subscriber-level authenticated users to invoke privileged actions that trigger a high availability impact, without passing appropriate authorization checks. Reported by Patchstack and tracked under EUVD-2026-36954, this flaw targets WordPress sites running an unpatched Motors plugin where the lowest default user role - subscriber - can reach restricted functionality. No public exploit has been identified at time of analysis and CISA has not listed this in the Known Exploited Vulnerabilities catalog.

Technical ContextAI

The Motors plugin (CPE: cpe:2.3:a:stylemixthemes:motors:*:*:*:*:*:*:*:*) is a WordPress car dealership and classified listings solution developed by StylemixThemes. The root cause is CWE-862 (Missing Authorization): one or more plugin endpoints or WordPress AJAX actions fail to verify the requesting user holds sufficient capabilities before executing sensitive operations. In the WordPress role hierarchy, the subscriber role is the lowest level, typically restricted to reading published content. By omitting capability checks at affected endpoints, the plugin permits subscribers to invoke operations restricted to higher roles - in this case producing a high availability impact as confirmed by the CVSS A:H metric. The vulnerability class is consistent with common WordPress plugin flaws where nonce verification is present but role/capability checking is absent.

RemediationAI

Upgrade the Motors WordPress plugin to version 1.4.107 or later - this is the vendor-released patch confirmed by Patchstack and EUVD source data. Site administrators should update via the WordPress plugin dashboard or download the patched release directly from the plugin repository. Full advisory details are at https://patchstack.com/database/wordpress/plugin/motors-car-dealership-classified-listings/vulnerability/wordpress-motors-plugin-1-4-107-broken-access-control-vulnerability. If immediate upgrade is not possible, disable open user registration (WordPress Admin > Settings > General > uncheck 'Anyone can register') to prevent untrusted parties from obtaining subscriber accounts needed for exploitation - note this will block legitimate self-registration flows. As an additional compensating control, a WAF rule targeting the specific vulnerable AJAX action or REST endpoint could limit exposure, but the exact endpoint is not disclosed in publicly available advisories, making precise rule authoring difficult without vendor guidance.

Share

CVE-2026-39515 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy