Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Unauthenticated, network-reachable endpoint with a missing authorization check (PR:N, AV:N, AC:L) enabling unauthorized data modification (I:H) with no confidentiality or availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in Motors <= 1.4.109 versions.
AnalysisAI
Unauthorized data modification in the Motors car dealership and classified listings plugin for WordPress (versions <= 1.4.109) lets remote unauthenticated attackers invoke privileged actions they should not reach, due to a missing authorization check (CWE-862). The CVSS 3.1 vector (AV:N/PR:N/UI:N) confirms no authentication and no user interaction are required, with a high integrity impact but no confidentiality or availability impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that a target run the Motors car dealership and classified listings WordPress plugin at version 1.4.109 or earlier with the vulnerable endpoint network-reachable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 7.5 (High), driven entirely by integrity (I:H) with C:N and A:N, meaning an attacker can alter or create data but cannot directly read protected data or take the site offline through this flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP request directly to a vulnerable Motors plugin endpoint that lacks an authorization check, invoking a privileged action such as creating, modifying, or deleting listing or configuration data without logging in. Because the action requires no authentication and no user interaction (AV:N/PR:N/UI:N, AC:L), it can be scripted and run at scale against any reachable site; no public exploit code is identified at time of analysis, so an attacker would first need to discover the unprotected handler. |
| Remediation | Upgrade the Motors plugin to the first release newer than 1.4.109 that contains the fix, as published on the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/motors-car-dealership-classified-listings/vulnerability/wordpress-motors-plugin-1-4-109-broken-access-control-vulnerability); an exact patched version number is not provided in the input and should be confirmed against the StyleMix Themes changelog before deployment. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress installations for the Motors plugin (versions 1.4.109 and earlier); immediately disable the plugin and implement WAF rules to restrict database modifications. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX action
Blind SQL injection in the StylemixThemes Motors WordPress plugin (versions up to and including 1.4.109) allows remote u
Local file inclusion in StylemixThemes Motors WordPress plugin versions up to and including 1.4.109 allows remote attack
Broken access control in the Motors WordPress plugin (StylemixThemes) prior to version 1.4.107 enables subscriber-level
Broken access control in the Motors WordPress theme (by StyleMixThemes) versions 5.6.80 and earlier allows unauthenticat
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39366
GHSA-pgwq-7q76-fm42