CVE-2026-7859
Received Received - Intake
Unauthenticated Post Metadata Modification in Motors WordPress Plugin

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: WPScan

Description
The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-7859
EUVD
EUVD-2026-38214
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
motors motors_car_dealership_and_classified_listings to 1.4.110 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-7859 affects the Motors WordPress plugin versions before 1.4.110. It occurs because the plugin lacks proper authorization and CSRF (Cross-Site Request Forgery) checks on one of its AJAX actions called stm_ajax_add_a_car_media.

This flaw allows unauthenticated attackers to modify arbitrary post metadata, including gallery images, featured images, and on WooCommerce sites, product prices.

Impact Analysis

This vulnerability can lead to unauthorized changes on your WordPress site if you use the Motors plugin below version 1.4.110.

  • Attackers can modify gallery images and featured images on your posts.
  • On WooCommerce sites configured for pay-per-listing, attackers can alter product prices.

Such unauthorized modifications can affect the integrity and trustworthiness of your website content and e-commerce pricing.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious AJAX requests to the `stm_ajax_add_a_car_media` endpoint in the Motors WordPress plugin. Since the issue involves missing authorization and CSRF checks, crafted requests targeting this AJAX action may indicate exploitation attempts.

Commands to detect such activity could include inspecting web server logs or using network monitoring tools to filter requests containing `stm_ajax_add_a_car_media`. For example, using grep on Apache or Nginx logs:

  • grep 'stm_ajax_add_a_car_media' /var/log/apache2/access.log
  • grep 'stm_ajax_add_a_car_media' /var/log/nginx/access.log

Additionally, using tools like Wireshark or tcpdump to capture HTTP traffic and filter for this AJAX action can help identify exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to update the Motors WordPress plugin to version 1.4.110 or later, where the vulnerability has been fixed.

Until the update can be applied, consider restricting access to the vulnerable AJAX endpoint by implementing firewall rules or web application firewall (WAF) rules to block unauthenticated requests targeting `stm_ajax_add_a_car_media`.

Also, review and monitor your site for unauthorized changes to post metadata, galleries, featured images, and WooCommerce product prices.

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7859. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart