Vulnerabilities and security researches formotors-car-dealership-classified-listings motors-car-dealership-classified-listings
Direction: descendingJun 20, 2026
Motors – Car Dealer, Classifieds & Listing # CVE-2026-54814
- CVE, Research URL
- Application
- Date
- Jun 17, 2026
- Research Description
- Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Motors allows PHP Local File Inclusion. This issue affects Motors: from n/a through 1.4.109.
- Affected versions
-
max 1.4.110.
- Status
-
vulnerable
Motors – Car Dealer, Classifieds & Listing # CVE-2026-54812
- CVE, Research URL
- Application
- Date
- Jun 17, 2026
- Research Description
- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Motors allows Blind SQL Injection. This issue affects Motors: from n/a through 1.4.109.
- Affected versions
-
max 1.4.110.
- Status
-
vulnerable
Jun 16, 2026
Motors – Car Dealer, Classifieds & Listing # 9d18a8acde8dfc3248ea031de1380616146ea3d1
- CVE, Research URL
- Application
- Date
- Sep 23, 2019
- Research Description
- Motors – Car Dealership & Classified Listings Plugin [motors-car-dealership-classified-listings] < 1.4.1 WordPress Motors – Car Dealer & Classified Ads plugin <= 1.4.0 - Multiple security issues Multiple security issues found by Jerome Bruandet in WordPress Motors – Car Dealer & Classified Ads plugin (versions <= 1.4.0).
- Affected versions
-
max 1.4.1.
- Status
-
vulnerable
May 16, 2026
Motors – Car Dealer, Classifieds & Listing # CVE-2026-3892
- CVE, Research URL
- Application
- Date
- May 14, 2026
- Research Description
- The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.4.107. This is due to insufficient file path validation in the become-dealer logo upload flow. The plugin allows any authenticated user to set an arbitrary filesystem path via the profile update handler. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary files on the server.
- Affected versions
-
max 1.4.108.
- Status
-
vulnerable
May 13, 2026
Motors – Car Dealer, Classifieds & Listing # CVE-2026-1934
- CVE, Research URL
- Application
- Date
- May 12, 2026
- Research Description
- The Motors – Car Dealership & Classified Listings plugin for WordPress is vulnerable to Payment Bypass via insecure user meta update in all versions up to, and including, 1.4.103 This is due to the stm_save_user_extra_fields() function updating sensitive user meta fields from POST data without verifying that the current user should have permission to modify those fields. The function hooks into the 'personal_options_update' action and only checks current_user_can('edit_user', $user_id), which passes for any user editing their own profile. This makes it possible for authenticated attackers, with Subscriber-level access and above, to set their stm_payment_status to 'completed', bypassing the PayPal payment verification and gaining access to paid Dealer membership features without completing any transaction.
- Affected versions
-
max 1.4.104.
- Status
-
vulnerable
May 02, 2026
Motors – Car Dealer, Classifieds & Listing # CVE-2026-39515
- CVE, Research URL
- Application
- Date
- -
- Research Description
- Motors – Car Dealership & Classified Listings Plugin [motors-car-dealership-classified-listings] < 1.4.107 CVE-2026-39515
- Affected versions
-
max 1.4.107.
- Status
-
vulnerable
Nov 11, 2025
Motors – Car Dealer, Classifieds & Listing # CVE-2025-10494
- CVE, Research URL
- Application
- Date
- Oct 08, 2025
- Research Description
- The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation when deleting profile pictures in all versions up to, and including, 1.4.89. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
- Affected versions
-
max 1.4.90.
- Status
-
vulnerable
Aug 05, 2025
Motors – Car Dealer, Classifieds & Listing # CVE-2025-54691
- CVE, Research URL
- Application
- Date
- Aug 14, 2025
- Research Description
- Authorization Bypass Through User-Controlled Key vulnerability in Stylemix Motors motors-car-dealership-classified-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Motors: from n/a through <= 1.4.80.
- Affected versions
-
max 1.4.81.
- Status
-
vulnerable
Apr 13, 2025
Motors – Car Dealer, Classifieds & Listing # CVE-2025-32654
- CVE, Research URL
- Application
- Date
- Apr 11, 2025
- Research Description
- Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Stylemix Motors motors-car-dealership-classified-listings allows PHP Local File Inclusion.This issue affects Motors: from n/a through <= 1.4.71.
- Affected versions
-
max 1.4.72.
- Status
-
vulnerable
Apr 09, 2025
Motors – Car Dealer, Classifieds & Listing # CVE-2025-2808
- CVE, Research URL
- Application
- Date
- Apr 08, 2025
- Research Description
- The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Phone Number parameter in all versions up to, and including, 1.4.63 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 1.4.64.
- Status
-
vulnerable
Motors – Car Dealer, Classifieds & Listing # CVE-2025-3437
- CVE, Research URL
- Application
- Date
- Apr 08, 2025
- Research Description
- The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in the ajax_actions.php file in all versions up to, and including, 1.4.66. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute several initial set-up actions.
- Affected versions
-
max 1.4.67.
- Status
-
vulnerable
Motors – Car Dealer, Classifieds & Listing # CVE-2025-2807
- CVE, Research URL
- Application
- Date
- Apr 08, 2025
- Research Description
- The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary plugin installations due to a missing capability check in the mvl_setup_wizard_install_plugin() function in all versions up to, and including, 1.4.64. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins on the affected site's server which may make remote code execution possible.
- Affected versions
-
max 1.4.65.
- Status
-
vulnerable
Apr 06, 2025
Motors – Car Dealer, Classifieds & Listing # CVE-2025-32142
- CVE, Research URL
- Application
- Date
- Apr 04, 2025
- Research Description
- Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Stylemix Motors motors-car-dealership-classified-listings allows PHP Local File Inclusion.This issue affects Motors: from n/a through <= 1.4.71.
- Affected versions
-
max 1.4.72.
- Status
-
vulnerable
Motors – Car Dealer, Classifieds & Listing # CVE-2025-32170
- CVE, Research URL
- Application
- Date
- Apr 04, 2025
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Stylemix Motors motors-car-dealership-classified-listings allows Stored XSS.This issue affects Motors: from n/a through <= 1.4.71.
- Affected versions
-
max 1.4.72.
- Status
-
vulnerable
Mar 24, 2025
Motors – Car Dealer, Classifieds & Listing # CVE-2024-13737
- CVE, Research URL
- Application
- Date
- Mar 22, 2025
- Research Description
- The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the motors_create_template and motors_delete_template functions in all versions up to, and including, 1.4.57. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts or create listing templates. This issue requires Elementor plugin to be installed, which is a required plugin for Motors Starter Theme.
- Affected versions
-
max 1.4.58.
- Status
-
vulnerable
Jan 17, 2025
Motors – Car Dealer, Classifieds & Listing # CVE-2024-10970
- CVE, Research URL
- Application
- Date
- Jan 16, 2025
- Research Description
- The The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.43. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.
- Affected versions
-
max 1.4.44.
- Status
-
vulnerable
Jul 04, 2024
Motors – Car Dealer, Classifieds & Listing # CVE-2024-5545
- CVE, Research URL
- Application
- Date
- Jul 02, 2024
- Research Description
- The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the stm_edit_delete_user_car function in all versions up to, and including, 1.4.8. This makes it possible for unauthenticated attackers to unpublish arbitrary posts and pages.
- Affected versions
-
max 1.4.11.
- Status
-
vulnerable
Jun 07, 2024
Motors – Car Dealer, Classifieds & Listing # CVE-2023-46207
- CVE, Research URL
- Application
- Date
- Nov 13, 2023
- Research Description
- Server-Side Request Forgery (SSRF) vulnerability in StylemixThemes Motors – Car Dealer, Classifieds & Listing.This issue affects Motors – Car Dealer, Classifieds & Listing: from n/a through 1.4.6.
- Affected versions
-
max 1.4.7.
- Status
-
vulnerable
Motors – Car Dealer, Classifieds & Listing # CVE-2023-46208
- CVE, Research URL
- Application
- Date
- Oct 28, 2023
- Research Description
- Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in StylemixThemes Motors – Car Dealer, Classifieds & Listing plugin <= 1.4.6 versions.
- Affected versions
-
max 1.4.7.
- Status
-
vulnerable
Motors – Car Dealer, Classifieds & Listing # CVE-2019-17228
- CVE, Research URL
- Application
- Date
- Feb 25, 2020
- Research Description
- includes/options.php in the motors-car-dealership-classified-listings (aka Motors - Car Dealer & Classified Ads) plugin through 1.4.0 for WordPress allows unauthenticated options changes.
- Affected versions
-
max 1.4.1.
- Status
-
vulnerable
Motors – Car Dealer, Classifieds & Listing # CVE-2022-38716
- CVE, Research URL
- Application
- Date
- May 25, 2023
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in StylemixThemes Motors – Car Dealer, Classifieds & Listing plugin <= 1.4.4 versions.
- Affected versions
-
max 1.4.6.
- Status
-
vulnerable
Motors – Car Dealer, Classifieds & Listing # CVE-2022-3989
- CVE, Research URL
- Application
- Date
- Dec 12, 2022
- Research Description
- The Motors WordPress plugin before 1.4.4 does not properly validate uploaded files for dangerous file types (such as .php) in an AJAX action, allowing an attacker to sign up on a victim's WordPress instance, upload a malicious PHP file and attempt to launch a brute-force attack to discover the uploaded payload.
- Affected versions
-
max 1.4.4.
- Status
-
vulnerable
Motors – Car Dealer, Classifieds & Listing # CVE-2019-17229
- CVE, Research URL
- Application
- Date
- Feb 25, 2020
- Research Description
- includes/options.php in the motors-car-dealership-classified-listings (aka Motors - Car Dealer & Classified Ads) plugin through 1.4.0 for WordPress has multiple stored XSS issues.
- Affected versions
-
max 1.4.1.
- Status
-
vulnerable