We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

The Motors – Car Dealership & Classified Listings plugin Vulnerability (CVE-2026-1934)

Nick Paliughi
On this page

Security Alert Summary

The Motors – Car Dealership & Classified Listings plugin for WordPress contains a user meta update vulnerability that can be abused by authenticated users with Subscriber-level access or higher to bypass payment verification. A function updates sensitive user meta fields from POST data without sufficient permission checks, allowing an attacker to set their payment status to ‘completed’ and gain access to paid Dealer membership features without completing a transaction.

CVE Details

  • CVE ID: CVE-2026-1934
  • Affected component: The Motors – Car Dealership & Classified Listings plugin for WordPress
  • Affected versions: all versions up to, and including, 1.4.103
  • Published: May 12, 2026 at 10:16:43 AM
  • Last modified: May 12, 2026 at 2:03:52 PM
  • CVSS v3.1 base score: 4.3 (MEDIUM)
  • CVSS v3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
  • Authentication / privileges required / user interaction: The vulnerability is exploitable by authenticated users; the description specifies authenticated attackers with Subscriber-level access and above. CVSS metrics list Privileges Required: LOW and User Interaction: NONE.
  • Impact (C/I/A): Confidentiality: NONE; Integrity: LOW; Availability: NONE
  • Weakness (CWE): CWE-862

Technical Details

The vulnerability is caused by the stm_save_user_extra_fields() function updating sensitive user meta fields from POST data without verifying whether the current user should be allowed to modify those fields. That function is hooked into the 'personal_options_update' action and performs only a check of current_user_can('edit_user', $user_id), which returns true for any user editing their own profile. As described, this allows authenticated users to modify meta fields they should not be able to change.

One specifically named meta field is stm_payment_status. An attacker with sufficient access can set this field to 'completed', bypassing PayPal payment verification and enabling access to paid Dealer membership features without completing a transaction.

How This Could Impact Your Website

On a site using this plugin, different user roles interact with membership and dealer features: the site owner or administrator configures memberships; internal staff manage listings and accounts; external contractors or contributors may have Subscriber-level access for limited tasks. In this context, an authenticated user with Subscriber-level access could alter their own user meta to appear as a paid Dealer member and gain access to paid features intended only for paying users.

Practical consequences include unauthorized access to paid functionality and a higher risk of targeted fraud or social engineering against legitimate staff or dealers who expect membership controls to be enforced. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles and capabilities, especially for Contributor and Subscriber accounts.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins.
  • Monitor site activity and logs for unusual behavior, such as unexpected changes to user meta or new access to paid features.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
LifePress Plugin Vulnerability (CVE-2026-6690)
Next Post
Skysa Text Ticker App Plugin Vulnerability (CVE-2026-6710)