Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Subscriber authentication required (PR:L) over network (AV:N); impact confined to availability (A:H) with no confidentiality or integrity impact confirmed.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Subscriber Broken Access Control in Motors < 1.4.107 versions.
AnalysisAI
Broken access control in the Motors WordPress plugin (StylemixThemes) prior to version 1.4.107 enables subscriber-level authenticated users to invoke privileged actions that trigger a high availability impact, without passing appropriate authorization checks. Reported by Patchstack and tracked under EUVD-2026-36954, this flaw targets WordPress sites running an unpatched Motors plugin where the lowest default user role - subscriber - can reach restricted functionality. No public exploit has been identified at time of analysis and CISA has not listed this in the Known Exploited Vulnerabilities catalog.
Technical ContextAI
The Motors plugin (CPE: cpe:2.3:a:stylemixthemes:motors:*:*:*:*:*:*:*:*) is a WordPress car dealership and classified listings solution developed by StylemixThemes. The root cause is CWE-862 (Missing Authorization): one or more plugin endpoints or WordPress AJAX actions fail to verify the requesting user holds sufficient capabilities before executing sensitive operations. In the WordPress role hierarchy, the subscriber role is the lowest level, typically restricted to reading published content. By omitting capability checks at affected endpoints, the plugin permits subscribers to invoke operations restricted to higher roles - in this case producing a high availability impact as confirmed by the CVSS A:H metric. The vulnerability class is consistent with common WordPress plugin flaws where nonce verification is present but role/capability checking is absent.
RemediationAI
Upgrade the Motors WordPress plugin to version 1.4.107 or later - this is the vendor-released patch confirmed by Patchstack and EUVD source data. Site administrators should update via the WordPress plugin dashboard or download the patched release directly from the plugin repository. Full advisory details are at https://patchstack.com/database/wordpress/plugin/motors-car-dealership-classified-listings/vulnerability/wordpress-motors-plugin-1-4-107-broken-access-control-vulnerability. If immediate upgrade is not possible, disable open user registration (WordPress Admin > Settings > General > uncheck 'Anyone can register') to prevent untrusted parties from obtaining subscriber accounts needed for exploitation - note this will block legitimate self-registration flows. As an additional compensating control, a WAF rule targeting the specific vulnerable AJAX action or REST endpoint could limit exposure, but the exact endpoint is not disclosed in publicly available advisories, making precise rule authoring difficult without vendor guidance.
The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX action
Blind SQL injection in the StylemixThemes Motors WordPress plugin (versions up to and including 1.4.109) allows remote u
Local file inclusion in StylemixThemes Motors WordPress plugin versions up to and including 1.4.109 allows remote attack
Unauthorized data modification in the Motors car dealership and classified listings plugin for WordPress (versions <= 1.
Broken access control in the Motors WordPress theme (by StyleMixThemes) versions 5.6.80 and earlier allows unauthenticat
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36954
GHSA-c744-86vr-w8f4