Skip to main content

StylemixThemes Motors CVE-2026-54812

CRITICAL
SQL Injection (CWE-89)
2026-06-17 Patchstack
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
8.2 HIGH

Unauthenticated network SQLi against a WordPress plugin: AV:N/AC:L/PR:N/UI:N; blind SQLi yields high confidentiality and limited integrity via DB writes, no availability impact, scope unchanged within wpdb.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 15:34 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Motors allows Blind SQL Injection.

This issue affects Motors: from n/a through 1.4.109.

AnalysisAI

Blind SQL injection in the StylemixThemes Motors WordPress plugin (versions up to and including 1.4.109) allows remote unauthenticated attackers to inject crafted SQL fragments into backend queries, leading to confidentiality compromise of the WordPress database and limited availability impact. The CVSS 3.1 base score of 9.3 reflects a scope change (S:C), meaning the impact extends beyond the plugin to the underlying database engine shared with the WordPress core. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Motors plugin
Delivery
Send crafted request to vulnerable listing endpoint
Exploit
Inject blind SQL payload into parameter
Execution
Infer database contents via boolean/time responses
Persist
Exfiltrate wp_users credentials
Impact
Crack hashes and authenticate as admin

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default installations of the StylemixThemes Motors plugin (versions up to and including 1.4.109) on any WordPress site where the plugin is active and its listing/search endpoints are reachable over HTTP(S). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L is a high-severity profile: network-reachable, low complexity, no privileges, no user interaction, with scope change and high confidentiality impact - typical of unauthenticated SQLi in a WordPress plugin. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker discovers a WordPress site running the Motors plugin (often identifiable via theme fingerprints or specific URL paths) and sends crafted HTTP requests to a vulnerable Motors endpoint, embedding boolean- or time-based SQL inference payloads in parameters such as search filters or listing IDs. Through repeated requests, the attacker exfiltrates sensitive data from the WordPress database, including the wp_users table containing password hashes and email addresses, ultimately enabling credential cracking and full site takeover. …
Remediation Upstream fix available per Patchstack advisory; a released patched version greater than 1.4.109 is implied but not independently confirmed from the supplied data, so administrators should upgrade the Motors plugin to the latest available version published by StylemixThemes via the WordPress dashboard or the vendor portal, consulting https://patchstack.com/database/wordpress/plugin/motors-car-dealership-classified-listings/vulnerability/wordpress-motors-plugin-1-4-109-sql-injection-vulnerability for the exact fix version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all WordPress installations for Motors plugin presence (wp-cli: 'wp plugin list --name=motors'); immediately deactivate any version ≤1.4.109 and document affected business processes. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54812 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy