// vulnerability record
cached · NVD via COSMOS syncCVE-2026-12435
MEDIUMpublished 2026-07-01 08:16 UTC · 3 days ago · modified 2026-07-01 13:56 UTC
// description
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.111. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to mark or unmark any other user's car listing as sold by replaying a valid nonce harvested from their own listing against an arbitrary victim post ID, triggering a site-wide 'Sold' badge on the victim's listing and silently stripping its special_car featured post meta as a side effect. Exploitation requires the attacker to hold an active listing of their own (obtainable by a Subscriber via the plugin's add-listing form) in order to harvest a valid nonce for the 'stm_mark_as_sold_car' action, which can then be replayed against any other listing's post ID.
// weaknesses (CWE)
- CWE-862
// references (8)
- https://plugins.trac.wordpress.org/browser/motors-car-dealership-classified-listings/tags/1.4.108/includes/vehicle_functions.php#L2400
- https://plugins.trac.wordpress.org/browser/motors-car-dealership-classified-listings/tags/1.4.108/includes/vehicle_functions.php#L2402
- https://plugins.trac.wordpress.org/browser/motors-car-dealership-classified-listings/tags/1.4.108/templates/listing-cars/listing-list-owner-actions.php#L74