CVE-2026-12435 in Motors Plugin
Summary
by MITRE • 07/01/2026
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.111. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to mark or unmark any other user's car listing as sold by replaying a valid nonce harvested from their own listing against an arbitrary victim post ID, triggering a site-wide 'Sold' badge on the victim's listing and silently stripping its special_car featured post meta as a side effect. Exploitation requires the attacker to hold an active listing of their own (obtainable by a Subscriber via the plugin's add-listing form) in order to harvest a valid nonce for the 'stm_mark_as_sold_car' action, which can then be replayed against any other listing's post ID.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/01/2026
This vulnerability represents a critical authorization bypass flaw in the Motors – Car Dealership & Classified Listings WordPress plugin affecting versions up to 1.4.111. The issue stems from improper verification of user permissions during critical administrative actions, specifically targeting the marking of car listings as sold. The vulnerability operates through a nonce replay mechanism that allows attackers with subscriber-level privileges or higher to manipulate listings belonging to other users without proper authorization. This authorization bypass occurs because the plugin fails to validate whether the requesting user has legitimate rights to perform the action on the target listing, creating a dangerous privilege escalation vector within the plugin's access control mechanisms.
The technical exploitation of this vulnerability requires an attacker to first create their own car listing through the standard plugin interface available to subscribers. This initial step is crucial as it provides the attacker with a valid nonce token specifically generated for the 'stm_mark_as_sold_car' action. Once obtained, this nonce can be replayed against any arbitrary victim post ID by manipulating the request parameters to target different listings. The attack mechanism demonstrates a classic example of insufficient input validation and improper session management where the nonce verification process does not adequately confirm the relationship between the requesting user and the target resource. This flaw essentially allows unauthorized manipulation of listing status across the entire site, bypassing the normal access controls that should prevent such cross-user actions.
The operational impact of this vulnerability extends beyond simple data manipulation to include potential business disruption and user privacy concerns. When exploited successfully, attackers can silently mark any user's car listing as sold, triggering a site-wide 'Sold' badge that misrepresents the actual status of vehicles. This creates confusion for potential buyers who may be misled by false information about vehicle availability. Additionally, the vulnerability includes a secondary effect where the special_car featured post meta is silently stripped from the victim's listing, potentially removing important marketing features or premium positioning that could affect the listing's visibility and value. The silent nature of this side effect makes detection particularly challenging for site administrators who may not immediately notice the removal of featured status from listings.
This vulnerability aligns with CWE-284 (Improper Access Control) and demonstrates characteristics consistent with ATT&CK technique T1078 (Valid Accounts) and T1566 (Phishing). The attack requires legitimate user credentials with subscriber privileges, making it a form of credential misuse rather than brute force exploitation. Security professionals should consider this vulnerability as part of broader access control assessment frameworks, particularly when evaluating plugin security in WordPress environments where user roles and permissions are critical for maintaining site integrity. The ease of exploitation through the existing listing creation functionality makes this vulnerability particularly dangerous as it can be leveraged by attackers who already have basic user accounts on the site.
Organizations should implement immediate mitigations including updating to the latest plugin version where this authorization bypass has been addressed, implementing additional access controls that verify user permissions more rigorously, and monitoring for unauthorized changes to listing statuses. Site administrators should also consider implementing rate limiting or additional authentication checks for critical actions like marking listings as sold, and conducting regular audits of user activities related to car listing modifications. The vulnerability highlights the importance of proper nonce validation that includes user context verification and demonstrates why automated security testing of WordPress plugins is essential for maintaining secure web applications.
The root cause of this issue reflects a common pattern in plugin development where access control checks are insufficiently implemented or bypassed through predictable nonce reuse mechanisms. This type of vulnerability often occurs when developers assume that nonces alone provide sufficient protection without proper user authentication verification. The attack vector demonstrates how seemingly minor implementation flaws in permission checking can lead to significant security breaches, emphasizing the need for comprehensive security reviews during plugin development and regular security assessments of third-party WordPress components. Organizations should prioritize updating vulnerable plugins immediately and conduct thorough security audits to identify similar authorization bypass vulnerabilities within their WordPress installations.