WordPress Plugin Vulnerabilities

Motors – Car Dealership & Classified Listings Plugin < 1.4.107 - Missing Authorization

Description

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to 1.4.107. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
motors-car-dealership-classified-listings
Fixed in 1.4.107

References

CVE
CVE-2026-39515
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/60693832-ff40-4173-95d9-822630e3403e

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Jakub Herman
Verified
No
WPVDB ID
f3fd9967-637a-4760-b3b7-69ed46a71982

Timeline

Publicly Published
2026-04-21 (about 23 days ago)
Added
2026-04-30 (about 13 days ago)
Last Updated
2026-04-30 (about 13 days ago)

Other

Published
Title
Published
2025-12-19
Title
Bit Assist < 1.6.0 - Missing Authorization
Published
2025-10-30
Title
Order Export & Order Import for WooCommerce < 2.6.8 - Missing Authorization
Published
2025-01-31
Title
Shortcodes and extra features for Phlox theme < 2.17.5 - Missing Authorization
Published
2026-02-04
Title
ProfileGrid – User Profiles, Groups and Communities < 5.9.7.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Suspension
Published
2025-04-30
Title
Projectopia – WordPress Project Management < 5.1.17 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Option Deletion