Skip to main content

Motors (WordPress) CVE-2026-54828

| EUVDEUVD-2026-39366 HIGH
Missing Authorization (CWE-862)
2026-06-25 Patchstack GHSA-pgwq-7q76-fm42
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.5 HIGH

Unauthenticated, network-reachable endpoint with a missing authorization check (PR:N, AV:N, AC:L) enabling unauthorized data modification (I:H) with no confidentiality or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 14:18 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in Motors <= 1.4.109 versions.

AnalysisAI

Unauthorized data modification in the Motors car dealership and classified listings plugin for WordPress (versions <= 1.4.109) lets remote unauthenticated attackers invoke privileged actions they should not reach, due to a missing authorization check (CWE-862). The CVSS 3.1 vector (AV:N/PR:N/UI:N) confirms no authentication and no user interaction are required, with a high integrity impact but no confidentiality or availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Motors plugin
Delivery
Send crafted request to unprotected endpoint
Exploit
Bypass missing authorization check
Execution
Create or modify listing/config data
Impact
Tamper with site integrity

Vulnerability AssessmentAI

Exploitation Exploitation requires only that a target run the Motors car dealership and classified listings WordPress plugin at version 1.4.109 or earlier with the vulnerable endpoint network-reachable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.5 (High), driven entirely by integrity (I:H) with C:N and A:N, meaning an attacker can alter or create data but cannot directly read protected data or take the site offline through this flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP request directly to a vulnerable Motors plugin endpoint that lacks an authorization check, invoking a privileged action such as creating, modifying, or deleting listing or configuration data without logging in. Because the action requires no authentication and no user interaction (AV:N/PR:N/UI:N, AC:L), it can be scripted and run at scale against any reachable site; no public exploit code is identified at time of analysis, so an attacker would first need to discover the unprotected handler.
Remediation Upgrade the Motors plugin to the first release newer than 1.4.109 that contains the fix, as published on the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/motors-car-dealership-classified-listings/vulnerability/wordpress-motors-plugin-1-4-109-broken-access-control-vulnerability); an exact patched version number is not provided in the input and should be confirmed against the StyleMix Themes changelog before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations for the Motors plugin (versions 1.4.109 and earlier); immediately disable the plugin and implement WAF rules to restrict database modifications. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54828 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy