CVE-2026-12435
Received Received - Intake

Authorization Bypass in Motors WordPress Plugin

Vulnerability report for CVE-2026-12435, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: Wordfence

Description

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.111. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to mark or unmark any other user's car listing as sold by replaying a valid nonce harvested from their own listing against an arbitrary victim post ID, triggering a site-wide 'Sold' badge on the victim's listing and silently stripping its special_car featured post meta as a side effect. Exploitation requires the attacker to hold an active listing of their own (obtainable by a Subscriber via the plugin's add-listing form) in order to harvest a valid nonce for the 'stm_mark_as_sold_car' action, which can then be replayed against any other listing's post ID.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
motors car_dealership_classified_listings_plugin to 1.4.111 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Motors – Car Dealership & Classified Listings Plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 1.4.111. This occurs because the plugin does not properly verify if a user is authorized to perform certain actions.

An authenticated attacker with subscriber-level access or higher can exploit this by using a valid nonce (a security token) harvested from their own car listing and replaying it against another user's listing. This allows the attacker to mark or unmark any other user's car listing as sold.

As a side effect, the victim's listing will display a site-wide 'Sold' badge and silently lose its special_car featured post meta.

To exploit this, the attacker must have an active listing of their own to obtain the valid nonce.

Impact Analysis

This vulnerability allows an attacker with subscriber-level access to manipulate other users' car listings by marking or unmarking them as sold without proper authorization.

Such unauthorized changes can lead to misinformation on the site, potentially damaging the reputation of legitimate sellers and causing confusion among buyers.

Additionally, the silent removal of the special_car featured post meta could affect the visibility or prominence of listings, impacting business operations.

Detection Guidance

This vulnerability involves an authorization bypass in the Motors – Car Dealership & Classified Listings Plugin for WordPress, allowing authenticated users with subscriber-level access to mark or unmark other users' car listings as sold by replaying a valid nonce. Detection would involve monitoring for unusual or unauthorized 'sold' status changes on car listings, especially those triggered by subscriber-level accounts.

Since exploitation requires replaying a valid nonce for the 'stm_mark_as_sold_car' action, detection could include logging and analyzing requests to this action endpoint for suspicious patterns such as multiple requests from the same user affecting different listings.

Specific commands are not provided in the available resources or CVE description.

Mitigation Strategies

Immediate mitigation steps include restricting subscriber-level users from adding listings or performing actions that require authorization verification until the plugin is updated.

Another step is to monitor and audit changes to car listings marked as sold, especially those initiated by subscriber-level users, to detect and revert unauthorized changes.

Applying any available updates or patches from the plugin developer that address this authorization bypass vulnerability is recommended once released.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12435. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart