Motors – Car Dealer, Classifieds & Listing < 1.4.58 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion and Listing Template Creation | CVE 2024-13737 | Plugin Vulnerabilities

Description

The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the motors_create_template and motors_delete_template functions in all versions up to, and including, 1.4.57. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts or create listing templates. This issue requires Elementor plugin to be installed, which is a required plugin for Motors Starter Theme.

Affects Plugins

motors-car-dealership-classified-listings

Fixed in 1.4.58

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/04fd2d7a-fa75-4b9d-9514-5c24ca5ebc22

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Thanh Nam Tran

Verified

No

WPVDB ID

c22298aa-d4c2-4599-bf35-27a559778aec

Timeline

Publicly Published

2025-03-21 (about 1 year ago)

Added

2025-03-21 (about 1 year ago)

Last Updated

2025-03-22 (about 1 year ago)

Other

Published

Title

Published

2025-04-15

Title

Barcode Generator for WooCommerce < 2.0.5 - Authenticated (Subscriber+) Arbitrary Content Deletion

Published

2024-04-16

Title

Popup Anything < 2.8.1 - Missing Authorization

Published

2026-02-23

Title

DesignThemes Booking Manager <= 2.0 - Missing Authorization

Published

2026-02-03

Title

Magic Import Document Extractor < 1.0.6 - Missing Authorization to Unauthenticated Plugin License Status Modification

Published

2024-04-09

Title

WP Radio – Worldwide Online Radio Stations Directory for WordPress <= 3.1.9 - Authenticated(Subscriber+) Stored Cross-Site Scripting via Settings