Security Alert Summary
The Motors – Car Dealership & Classified Listings Plugin for WordPress contains an authorization bypass in all versions up to and including 1.4.111. Authenticated users with subscriber-level access or higher can mark or unmark other users\’ car listings as “Sold” by replaying a valid nonce from their own listing against an arbitrary post ID. Exploitation triggers a site-wide “Sold” badge on the victim\’s listing and can silently remove the listing\’s special_car featured post meta.
CVE Details
- CVE ID: CVE-2026-12435
- Affected component: Motors – Car Dealership & Classified Listings Plugin
- Affected versions: All versions up to and including 1.4.111
- Published: July 1, 2026 at 8:16:21 AM UTC
- Last modified: July 1, 2026 at 1:56:17 PM UTC
- CVSS v3.1 base score: 4.3 (MEDIUM) —
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N - Authentication / Privileges: Requires authentication; privileges required: Low (authenticated user, e.g., Subscriber). User interaction: None.
- Primary impact: Integrity: Low; Confidentiality: None; Availability: None
- Weakness: CWE-862 (Missing Authorization)
Technical Details
The plugin fails to properly verify that a user is authorized to perform the action used to mark a listing as sold. An authenticated attacker who has an active listing can obtain a valid nonce for the stm_mark_as_sold_car action from their own listing (for example via the plugin\’s add-listing form) and replay that nonce against an arbitrary victim post ID. Because the authorization check is insufficient, the replayed request changes the target listing\’s state, causing the display of a site-wide “Sold” badge and removing the special_car post meta from the victim listing as a side effect.
The issue exists because the plugin does not correctly verify that the authenticated user is authorized to modify the specific target listing before processing the stm_mark_as_sold_car action. The impact is limited to state changes on listings (integrity) and does not indicate disclosure of confidential data or denial of service.
How This Could Impact Your Website
Consider a site where the owner manages listings, internal staff handle featured posts, and external contributors or contractors add content. A malicious subscriber who creates their own listing can mark competitors\’ listings as “Sold” without the site owner or staff noticing immediately. This can:
- Cause legitimate listings to show an incorrect “Sold” status, reducing visibility and potential leads.
- Remove featured or promoted status from targeted listings by stripping the
special_carpost meta, affecting how listings appear in searches or on the homepage. - Create administrative overhead as staff must investigate and reverse unwanted status changes.
If you\’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributors and subscriber-level capabilities that allow adding listings.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins to reduce attack surface.
- Monitor site activity and listings for unusual behavior, such as unexpected status changes or removed featured flags.
If you\’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/motors-car-dealership-classified-listings/tags/1.4.108/includes/vehicle_functions.php#L2400
- https://plugins.trac.wordpress.org/browser/motors-car-dealership-classified-listings/tags/1.4.108/includes/vehicle_functions.php#L2402
- https://plugins.trac.wordpress.org/browser/motors-car-dealership-classified-listings/tags/1.4.108/templates/listing-cars/listing-list-owner-actions.php#L74
- https://plugins.trac.wordpress.org/browser/motors-car-dealership-classified-listings/tags/1.4.110/includes/vehicle_functions.php#L2400
- https://plugins.trac.wordpress.org/browser/motors-car-dealership-classified-listings/tags/1.4.110/includes/vehicle_functions.php#L2402
- https://plugins.trac.wordpress.org/browser/motors-car-dealership-classified-listings/tags/1.4.110/templates/listing-cars/listing-list-owner-actions.php#L74
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3577332%40motors-car-dealership-classified-listings&new=3577332%40motors-car-dealership-classified-listings&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5238c344-d685-4eab-822c-d3c1050cc982?source=cve