Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Network-delivered CSRF requires no attacker privileges but mandates active admin user interaction; integrity impact limited to plugin configuration fields only, no confidentiality or availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The MotorDesk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the motordesk_admin_home function. This makes it possible for unauthenticated attackers to update the plugin's configuration settings, including the search page URI and custom template directory path via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AnalysisAI
Cross-Site Request Forgery in the MotorDesk WordPress plugin (all versions ≤ 1.1.2) allows unauthenticated remote attackers to overwrite critical plugin configuration settings by tricking a logged-in administrator into clicking a crafted link. The vulnerable function motordesk_admin_home in motordesk_admin.php lacks proper WordPress nonce validation, meaning the server accepts state-changing POST requests without confirming the administrator intentionally submitted them. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target WordPress installation is running the MotorDesk plugin at version 1.1.2 or earlier with the plugin active and enabled. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, score 4.3) is internally consistent: the attack is network-deliverable with low complexity and no attacker-side privileges, but the mandatory UI:R component - requiring an administrator to be actively tricked - is the primary limiting factor that keeps this at Medium severity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker builds a web page containing a hidden HTML form that submits a POST request to the target WordPress site's MotorDesk admin handler, embedding a malicious custom template directory path pointing to attacker-controlled content. The attacker delivers a link to this page to a site administrator via phishing email or a compromised third-party site; when the administrator visits the page while their WordPress session is active, the browser automatically submits the forged request and the plugin configuration is overwritten without any confirmation prompt. … |
| Remediation | No vendor-released patched version has been independently confirmed in the available data - administrators should monitor the MotorDesk plugin page on the WordPress plugin repository and the Wordfence advisory for a patched release and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38665
GHSA-w9jx-q9hr-x62p