Authorization Bypass in Motors Plugin for WordPress
CVE-2026-12435

4.3MEDIUM

What is CVE-2026-12435?

The Motors – Car Dealership & Classified Listings Plugin for WordPress has a vulnerability allowing authenticated users, with subscriber-level access or greater, to misuse authorized actions. This occurs due to inadequate verification of user permissions when marking listings as sold. Attackers can exploit this flaw by replaying a valid nonce from their own listings against any other user's post ID, enabling them to falsely alter status and remove special features from victims' listings silently. Affected versions include all releases up to 1.4.111.

Affected Version(s)

Motors – Car Dealership & Classified Listings Plugin 0 <= 1.4.111

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Michael Perla (vizen5)
.