WordPress Plugin Vulnerabilities

Motors – Car Dealer, Classifieds & Listing < 1.4.11 - Missing Authorization

Description

The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the stm_edit_delete_user_car function in all versions up to, and including, 1.4.8. This makes it possible for unauthenticated attackers to unpublish arbitrary posts and pages.

Affects Plugins

Plugin icon
motors-car-dealership-classified-listings
Fixed in 1.4.11

References

CVE
CVE-2024-5545
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/62731e0e-8843-4f79-b887-c595fbefae26

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Verified
No
WPVDB ID
ac70d178-7232-4be4-bfe6-3c45f211d517

Timeline

Publicly Published
2024-07-01 (about 1 year ago)
Added
2024-07-02 (about 1 year ago)
Last Updated
2024-07-03 (about 1 year ago)

Other

Published
Title
Published
2025-03-28
Title
Clear Sucuri Cache <= 1.4 - Missing Authorization
Published
2026-01-05
Title
Icegram < 3.1.36 - Missing Authorization
Published
2024-05-20
Title
AdFoxly – Ad Manager, AdSense Ads & Ads.txt <= 1.8.5 - Missing Authorization to Unauthenticated Ad Status Update
Published
2026-03-16
Title
Modern Events Calendar <= 7.29.0 - Missing Authorization
Published
2025-03-27
Title
Cool Author Box < 3.0.0 - Missing Authorization