Authorization Bypass in Motors Plugin for WordPress
CVE-2026-12435
4.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 1 July 2026
What is CVE-2026-12435?
The Motors β Car Dealership & Classified Listings Plugin for WordPress has a vulnerability allowing authenticated users, with subscriber-level access or greater, to misuse authorized actions. This occurs due to inadequate verification of user permissions when marking listings as sold. Attackers can exploit this flaw by replaying a valid nonce from their own listings against any other user's post ID, enabling them to falsely alter status and remove special features from victims' listings silently. Affected versions include all releases up to 1.4.111.
Affected Version(s)
Motors β Car Dealership & Classified Listings Plugin 0 <= 1.4.111