WordPress Plugin Vulnerabilities

Motors – Car Dealer, Classifieds & Listing < 1.4.44 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via Custom Title

Description

The The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.43. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.

Affects Plugins

Plugin icon
motors-car-dealership-classified-listings
Fixed in 1.4.44

References

CVE
CVE-2024-10970
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/fc58c679-3e87-4bcc-b1bc-718ae52c291a

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
ghsinfosec, C_T_R_L
Verified
No
WPVDB ID
fdf4eff0-c8fb-4df4-8e96-82e2d6860f97

Timeline

Publicly Published
2025-01-15 (about 1 year ago)
Added
2025-01-15 (about 1 year ago)
Last Updated
2025-01-16 (about 1 year ago)

Other

Published
Title
Published
2025-09-26
Title
WP Recipe Maker < 10.1.0 - Unauthenticated Arbitrary Shortcode Execution
Published
2026-04-20
Title
Custom CSS JS PHP <= 2.0.7 - Unauthenticated SQL Injection to RCE
Published
2025-12-25
Title
IF AS Shortcode <= 1.2 - Authenticated (Contributor+) Remote Code Execution
Published
2014-12-30
Title
Cforms & CformsII <= 14.7 - Remote Code Execution via Unauthorised File Upload
Published
2014-08-01
Title
WPLocalPlaces - File Upload Remote Code Execution