Payment Bypass Vulnerability in Motors Car Dealership Plugin for WordPress
CVE-2026-1934

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Motors – Car Dealership & Classified Listings Plugin
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-1934?

The Motors – Car Dealership & Classified Listings plugin for WordPress has a vulnerability that allows authenticated users to bypass payment verification. This occurs through the stm_save_user_extra_fields() function, which updates sensitive user meta fields based on POST data without sufficient permission checks. Any authenticated user, such as those with Subscriber-level access, can manipulate their payment status to 'completed'. This exploitation grants access to paid features without completing the necessary transaction process.

Affected Version(s)

Motors – Car Dealership & Classified Listings Plugin 0 <= 1.4.103

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/motors-car-dea...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Feb 4, 2026

Credit

shrikant bhosale

CVE-2026-1934 Data

JSON