Skip to main content

MotorDesk CVE-2026-9724

| EUVDEUVD-2026-38665 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-24 Wordfence GHSA-w9jx-q9hr-x62p
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network-delivered CSRF requires no attacker privileges but mandates active admin user interaction; integrity impact limited to plugin configuration fields only, no confidentiality or availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 06:51 vuln.today
CVE Published
Jun 24, 2026 - 05:33 cve.org
MEDIUM 4.3

DescriptionCVE.org

The MotorDesk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the motordesk_admin_home function. This makes it possible for unauthenticated attackers to update the plugin's configuration settings, including the search page URI and custom template directory path via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

AnalysisAI

Cross-Site Request Forgery in the MotorDesk WordPress plugin (all versions ≤ 1.1.2) allows unauthenticated remote attackers to overwrite critical plugin configuration settings by tricking a logged-in administrator into clicking a crafted link. The vulnerable function motordesk_admin_home in motordesk_admin.php lacks proper WordPress nonce validation, meaning the server accepts state-changing POST requests without confirming the administrator intentionally submitted them. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify target site running MotorDesk ≤1.1.2
Delivery
Craft hidden HTML form targeting admin endpoint
Exploit
Deliver phishing link to site administrator
Execution
Admin clicks link while authenticated to WordPress
Persist
Browser submits forged POST request
Impact
Plugin search URI or template path overwritten

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target WordPress installation is running the MotorDesk plugin at version 1.1.2 or earlier with the plugin active and enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, score 4.3) is internally consistent: the attack is network-deliverable with low complexity and no attacker-side privileges, but the mandatory UI:R component - requiring an administrator to be actively tricked - is the primary limiting factor that keeps this at Medium severity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker builds a web page containing a hidden HTML form that submits a POST request to the target WordPress site's MotorDesk admin handler, embedding a malicious custom template directory path pointing to attacker-controlled content. The attacker delivers a link to this page to a site administrator via phishing email or a compromised third-party site; when the administrator visits the page while their WordPress session is active, the browser automatically submits the forged request and the plugin configuration is overwritten without any confirmation prompt. …
Remediation No vendor-released patched version has been independently confirmed in the available data - administrators should monitor the MotorDesk plugin page on the WordPress plugin repository and the Wordfence advisory for a patched release and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9724 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy