Arbitrary Plugin Installation Vulnerability in Motors - Car Dealership & Classified Listings Plugin by WordPress
CVE-2025-2807

8.8HIGH

Key Information:

Vendor: WordPress
Status: Motors – Car Dealership & Classified Listings Plugin
Vendor: CVE Published:; 8 April 2025

What is CVE-2025-2807?

The Motors – Car Dealership & Classified Listings Plugin for WordPress suffers from a flaw that allows authenticated attackers with Subscriber-level access or higher to install and activate any plugin on the affected site's server. This is due to a missing capability check in the mvl_setup_wizard_install_plugin() function, which can lead to potential remote code execution vulnerabilities. Effective measures should be taken to update to the latest version and review user access to mitigate this security risk.

Affected Version(s)

Motors – Car Dealership & Classified Listings Plugin * <= 1.4.64

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3262748/moto...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2025
Vulnerability Reserved
Mar 25, 2025

Credit

Michael Mazzolini