CVE-2026-39515

Vulnerability

The Motors WordPress plugin (versions prior to 1.4.107) contains a broken access control vulnerability. The plugin fails to properly authorize or validate nonce tokens in certain functions, allowing unprivileged users (e.g., subscribers) to perform actions intended for higher-privileged roles. This affects the car dealership classified listings plugin, which is commonly used on WordPress sites. [1]

Exploitation

An attacker with a subscriber-level account on a vulnerable WordPress site can send specially crafted HTTP requests to the plugin's endpoints. By exploiting the missing authorization or nonce check, the attacker can invoke functions that should be restricted to administrators or other higher-privileged users. No additional privileges or user interaction beyond authentication as a subscriber are required. [1]

Impact

Successful exploitation allows the attacker to perform unauthorized administrative actions, such as modifying plugin settings, creating or editing listings, or executing other privileged operations depending on the vulnerable function. This could lead to data manipulation, information disclosure, or further privilege escalation within the WordPress site. The vulnerability is moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of sites. [1]

Mitigation

The vulnerability is fixed in version 1.4.107 of the Motors plugin. All users should update to this version or later immediately. If updating is not possible, administrators can apply a mitigation rule (e.g., from Patchstack) or contact their hosting provider for assistance. No other workarounds are mentioned in the available reference. [1]