Skip to main content

Motors

6 CVEs product

Monthly

CVE-2026-27433 MEDIUM This Month

Broken access control in the Motors WordPress theme (by StyleMixThemes) versions 5.6.80 and earlier allows unauthenticated remote attackers to perform unauthorized actions, resulting in limited integrity and availability impact without requiring any credentials or user interaction. The vulnerability stems from CWE-862 (Missing Authorization), where specific theme functionality fails to enforce permission checks before executing sensitive operations. No public exploit code or CISA KEV listing has been identified at time of analysis, though the unauthenticated, low-complexity attack profile makes opportunistic exploitation straightforward for any threat actor targeting WordPress installations.

Authentication Bypass Motors
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-54828 HIGH This Week

Unauthorized data modification in the Motors car dealership and classified listings plugin for WordPress (versions <= 1.4.109) lets remote unauthenticated attackers invoke privileged actions they should not reach, due to a missing authorization check (CWE-862). The CVSS 3.1 vector (AV:N/PR:N/UI:N) confirms no authentication and no user interaction are required, with a high integrity impact but no confidentiality or availability impact. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Authentication Bypass Motors
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-7859 MEDIUM POC PATCH This Month

The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices.

WordPress CSRF Motors Authentication Bypass
NVD WPScan VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-54812 CRITICAL Act Now

Blind SQL injection in the StylemixThemes Motors WordPress plugin (versions up to and including 1.4.109) allows remote unauthenticated attackers to inject crafted SQL fragments into backend queries, leading to confidentiality compromise of the WordPress database and limited availability impact. The CVSS 3.1 base score of 9.3 reflects a scope change (S:C), meaning the impact extends beyond the plugin to the underlying database engine shared with the WordPress core. No public exploit identified at time of analysis, but the SQLi class and unauthenticated network vector make this a high-priority issue for sites running the Motors car dealership/classified listings plugin.

SQLi Motors
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-54814 HIGH This Week

Local file inclusion in StylemixThemes Motors WordPress plugin versions up to and including 1.4.109 allows remote attackers to include arbitrary PHP files from the server filesystem. The flaw is classified as CWE-98 (PHP Remote File Inclusion) but is exploitable only as LFI per the vendor description, enabling source code disclosure, sensitive file read, and potential code execution if a writable PHP file can be reached. No public exploit identified at time of analysis and the vulnerability is not present in CISA KEV.

PHP Information Disclosure LFI Motors
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39515 MEDIUM PATCH This Month

Broken access control in the Motors WordPress plugin (StylemixThemes) prior to version 1.4.107 enables subscriber-level authenticated users to invoke privileged actions that trigger a high availability impact, without passing appropriate authorization checks. Reported by Patchstack and tracked under EUVD-2026-36954, this flaw targets WordPress sites running an unpatched Motors plugin where the lowest default user role - subscriber - can reach restricted functionality. No public exploit has been identified at time of analysis and CISA has not listed this in the Known Exploited Vulnerabilities catalog.

Authentication Bypass Motors
NVD
CVSS 3.1
6.5
EPSS
0.4%
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in the Motors WordPress theme (by StyleMixThemes) versions 5.6.80 and earlier allows unauthenticated remote attackers to perform unauthorized actions, resulting in limited integrity and availability impact without requiring any credentials or user interaction. The vulnerability stems from CWE-862 (Missing Authorization), where specific theme functionality fails to enforce permission checks before executing sensitive operations. No public exploit code or CISA KEV listing has been identified at time of analysis, though the unauthenticated, low-complexity attack profile makes opportunistic exploitation straightforward for any threat actor targeting WordPress installations.

Authentication Bypass Motors
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthorized data modification in the Motors car dealership and classified listings plugin for WordPress (versions <= 1.4.109) lets remote unauthenticated attackers invoke privileged actions they should not reach, due to a missing authorization check (CWE-862). The CVSS 3.1 vector (AV:N/PR:N/UI:N) confirms no authentication and no user interaction are required, with a high integrity impact but no confidentiality or availability impact. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Authentication Bypass Motors
NVD
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices.

WordPress CSRF Motors +1
NVD WPScan VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in the StylemixThemes Motors WordPress plugin (versions up to and including 1.4.109) allows remote unauthenticated attackers to inject crafted SQL fragments into backend queries, leading to confidentiality compromise of the WordPress database and limited availability impact. The CVSS 3.1 base score of 9.3 reflects a scope change (S:C), meaning the impact extends beyond the plugin to the underlying database engine shared with the WordPress core. No public exploit identified at time of analysis, but the SQLi class and unauthenticated network vector make this a high-priority issue for sites running the Motors car dealership/classified listings plugin.

SQLi Motors
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in StylemixThemes Motors WordPress plugin versions up to and including 1.4.109 allows remote attackers to include arbitrary PHP files from the server filesystem. The flaw is classified as CWE-98 (PHP Remote File Inclusion) but is exploitable only as LFI per the vendor description, enabling source code disclosure, sensitive file read, and potential code execution if a writable PHP file can be reached. No public exploit identified at time of analysis and the vulnerability is not present in CISA KEV.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Broken access control in the Motors WordPress plugin (StylemixThemes) prior to version 1.4.107 enables subscriber-level authenticated users to invoke privileged actions that trigger a high availability impact, without passing appropriate authorization checks. Reported by Patchstack and tracked under EUVD-2026-36954, this flaw targets WordPress sites running an unpatched Motors plugin where the lowest default user role - subscriber - can reach restricted functionality. No public exploit has been identified at time of analysis and CISA has not listed this in the Known Exploited Vulnerabilities catalog.

Authentication Bypass Motors
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy