Motors Car Dealership and Classified Listings Plugin Missing Authorization Vulnerability

A vulnerability exists in the Motors – Car Dealership & Classified Listings Plugin for WordPress, in all versions through 1.4.66. The issue arises from a lack of proper capability checks in several functions within the ajax_actions.php file. This flaw allows authenticated attackers with Subscriber-level access and above to unauthorizedly modify data and execute various initial setup actions.

Impact

Exploitation of this vulnerability could lead to unauthorized data modifications and the execution of several setup actions, potentially allowing an attacker to manipulate plugin or site functionality.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the WordPress site that includes the 'stm_mvl_setup_wizard_nonce' for actions that require higher privileges, such as 'mvl_setup_wizard_load_step', 'mvl_setup_wizard_install_starter_theme', or 'mvl_setup_wizard_starter_import_fields'. The absence of a proper capability check allows these actions to be performed without the necessary permissions.

Remediation

Users are advised to update the Motors – Car Dealership & Classified Listings Plugin to version 1.4.67 or later.