StylemixThemes Motors CVE-2026-54812
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Unauthenticated network SQLi against a WordPress plugin: AV:N/AC:L/PR:N/UI:N; blind SQLi yields high confidentiality and limited integrity via DB writes, no availability impact, scope unchanged within wpdb.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Motors allows Blind SQL Injection.
This issue affects Motors: from n/a through 1.4.109.
AnalysisAI
Blind SQL injection in the StylemixThemes Motors WordPress plugin (versions up to and including 1.4.109) allows remote unauthenticated attackers to inject crafted SQL fragments into backend queries, leading to confidentiality compromise of the WordPress database and limited availability impact. The CVSS 3.1 base score of 9.3 reflects a scope change (S:C), meaning the impact extends beyond the plugin to the underlying database engine shared with the WordPress core. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default installations of the StylemixThemes Motors plugin (versions up to and including 1.4.109) on any WordPress site where the plugin is active and its listing/search endpoints are reachable over HTTP(S). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L is a high-severity profile: network-reachable, low complexity, no privileges, no user interaction, with scope change and high confidentiality impact - typical of unauthenticated SQLi in a WordPress plugin. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker discovers a WordPress site running the Motors plugin (often identifiable via theme fingerprints or specific URL paths) and sends crafted HTTP requests to a vulnerable Motors endpoint, embedding boolean- or time-based SQL inference payloads in parameters such as search filters or listing IDs. Through repeated requests, the attacker exfiltrates sensitive data from the WordPress database, including the wp_users table containing password hashes and email addresses, ultimately enabling credential cracking and full site takeover. … |
| Remediation | Upstream fix available per Patchstack advisory; a released patched version greater than 1.4.109 is implied but not independently confirmed from the supplied data, so administrators should upgrade the Motors plugin to the latest available version published by StylemixThemes via the WordPress dashboard or the vendor portal, consulting https://patchstack.com/database/wordpress/plugin/motors-car-dealership-classified-listings/vulnerability/wordpress-motors-plugin-1-4-109-sql-injection-vulnerability for the exact fix version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit all WordPress installations for Motors plugin presence (wp-cli: 'wp plugin list --name=motors'); immediately deactivate any version ≤1.4.109 and document affected business processes. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX action
Local file inclusion in StylemixThemes Motors WordPress plugin versions up to and including 1.4.109 allows remote attack
Unauthorized data modification in the Motors car dealership and classified listings plugin for WordPress (versions <= 1.
Broken access control in the Motors WordPress plugin (StylemixThemes) prior to version 1.4.107 enables subscriber-level
Broken access control in the Motors WordPress theme (by StyleMixThemes) versions 5.6.80 and earlier allows unauthenticat
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today