Motors – Car Dealer, Classifieds & Listing
Moderate fix1 remedy
cpe:2.3:a:stylemixthemes:motors_-_car_dealer,_classifieds_&_listing:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 1.4.57
Motors Car Dealer Plugin for WordPress Missing Authorization Vulnerability Allowing Arbitrary Post Deletion and Template Creation
Vulnerability
Patched
A vulnerability exists in the Motors – Car Dealer, Classifieds & Listing plugin for WordPress, in versions through 1.4.57. The issue arises from missing capability checks in the 'motors_create_template' and 'motors_delete_template' functions. This flaw enables authenticated attackers with Subscriber-level access or higher to delete arbitrary posts or create listing templates. The vulnerability requires the Elementor plugin, which is necessary for the Motors Starter Theme, to be installed.
Impact
Exploitation of this vulnerability allows for unauthorized deletion of posts and creation of listing templates by users with Subscriber-level access or higher.
Reproduction
To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send an AJAX request to the 'wp_ajax_motors_wpcfto_create_template' action to create a listing template, or to the 'wp_ajax_motors_wpcfto_delete_template' action to delete a post. The request must include the appropriate AJAX referer for the action being performed.
Remediation
Users are advised to update the Motors – Car Dealer, Classifieds & Listing plugin to version 1.4.58 or later.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
2.5exploitability
6.4remediation
7.7relevance
0.0threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.