CVE-2026-7859

Motors – Car Dealership & Classified Listings Plugin < 1.4.110 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.4.110
Patched in
2d
Time to patch

Description

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to 1.4.110. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<1.4.110
PublishedJune 22, 2026
Last updatedJune 23, 2026

What Changed in the Fix

Changes introduced in v1.4.110

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-7859 (Motors Plugin CSRF) ## 1. Vulnerability Summary The **Motors – Car Dealership & Classified Listings Plugin** for WordPress (versions < 1.4.110) is vulnerable to **Cross-Site Request Forgery (CSRF)**. The vulnerability exists because several AJAX endpoin…

Show full research plan

Exploitation Research Plan - CVE-2026-7859 (Motors Plugin CSRF)

1. Vulnerability Summary

The Motors – Car Dealership & Classified Listings Plugin for WordPress (versions < 1.4.110) is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability exists because several AJAX endpoints, specifically those related to page generation and dealership management, fail to implement or correctly validate WordPress nonces. This allows an unauthenticated attacker to trick a site administrator into performing sensitive actions, such as generating arbitrary pages or modifying dealership listings, by visiting a malicious link.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: wpcfto_generate_pages (identified in includes/admin/page_generator/js/page_generator.js)
  • HTTP Method: POST
  • Vulnerable Parameter: The entire request body (JSON payload) lacks a nonce/security token.
  • Authentication Level: Administrator (victim must be logged in).
  • Preconditions: The attacker must trick the administrator into executing a request to the vulnerable endpoint.

3. Code Flow

  1. Frontend Registration (JS): In includes/admin/page_generator/js/page_generator.js, the Vue component mvl_page_generator defines a method generatePages().
  2. AJAX Call: The method executes this.$http.post(ajaxurl + '?action=wpcfto_generate_pages', JSON.stringify(vm.field_data)).
  3. Observation: Note that no nonce variable (e.g., _wpnonce or security) is passed in the URL parameters or the JSON body.
  4. Backend Handler (PHP): The wpcfto_generate_pages action is registered (likely via wp_ajax_wpcfto_generate_pages). Based on the JS behavior, the handler fails to call check_admin_referer() or check_ajax_referer(), allowing requests without a valid security token to proceed.
  5. Sink: The handler processes vm.field_data to generate WordPress pages, leading to unauthorized content creation.

4. Nonce Acquisition Strategy

Based on the source file includes/admin/page_generator/js/page_generator.js, the wpcfto_generate_pages action does not require a nonce. The JavaScript sends a raw JSON payload to the ajaxurl with only the action parameter in the query string.

If a different action like stm_ajax_buy_car_online (from app-ajax.js) is targeted, it uses stm_security_nonce. To obtain this nonce:

  1. Identify a page where the dealership listings are displayed (common on the homepage or /inventory/).
  2. Use browser_navigate to that page.
  3. Extract the nonce via browser_eval("window.stm_security_nonce").

However, for the primary wpcfto_generate_pages exploit, no nonce is needed.

5. Exploitation Strategy

We will forge a request to the wpcfto_generate_pages endpoint to create a dummy page, proving unauthorized action.

HTTP Request (via http_request tool)

  • Method: POST
  • URL: http://localhost:8080/wp-admin/admin-ajax.php?action=wpcfto_generate_pages
  • Headers:
    • Content-Type: application/json
  • Body:
{
    "pages": {
        "vulnerability_check": {
            "title": "CSRF Vulnerability Proven",
            "content": "This page was generated via an unauthorized CSRF request in CVE-2026-7859."
        }
    }
}

6. Test Data Setup

  1. Ensure the Motors plugin is active (version < 1.4.110).
  2. Create an Administrator user and log in (the execution agent will use the admin session context).
  3. No specific listings are required for the wpcfto_generate_pages action, as it targets the page generation utility.

7. Expected Results

  • The server should return a 200 OK or 201 Created status code.
  • The response body should indicate success (e.g., {"success":true} or a simple 0 if the handler returns nothing but executes).
  • A new page titled "CSRF Vulnerability Proven" should be created in the WordPress database.

8. Verification Steps

  1. Check Pages via WP-CLI:
    wp post list --post_type=page --post_status=publish --field=post_title
    
  2. Verify Title: Confirm "CSRF Vulnerability Proven" appears in the list.
  3. Check Plugin Version:
    wp plugin get motors-car-dealership-classified-listings --field=version
    

9. Alternative Approaches

If wpcfto_generate_pages is restricted by server-side Content-Type checks that block standard CSRF, target the listings-sold action in includes/actions.php.

Alternative Target: listings-sold

  • URL: http://localhost:8080/?ajax_action=listings-sold
  • Note: includes/actions.php calls check_ajax_referer( 'stm_security_nonce', 'security' );.
  • Bypass Check: Verify if stm_security_nonce is localized on public pages. If it is, an unauthenticated attacker can steal the nonce from the source and use it to forge a request on behalf of an admin to mark all cars as sold, effectively sabotaging the dealership's inventory display.
  • Acquisition: browser_eval("stm_security_nonce").
  • Request: POST /?ajax_action=listings-sold&security=[STOLEN_NONCE].
Research Findings
Static analysis — not yet PoC-verified

Summary

The Motors plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) because several AJAX actions, such as page generation and car media management, lack proper nonce validation. This allow unauthenticated attackers to perform unauthorized actions, like creating arbitrary pages or modifying listings, by tricking an authenticated administrator into interacting with a malicious link or script.

Vulnerable Code

// includes/admin/page_generator/js/page_generator.js (lines 14-20)
generatePages: function generatePages() {
  var vm = this;
  if (vm.loading) return false;
  vm.loading = true;
  this.$http.post(ajaxurl + '?action=wpcfto_generate_pages', JSON.stringify(vm.field_data)).then(function (data) {
    location.reload();
    vm.loading = false;
  });
}

---

// assets/js/frontend/add_a_car.js (lines 278-285)
fd.append('action', 'stm_ajax_add_a_car_media');
fd.append('post_id', data.post_id);

$.ajax({
    url: ajaxurl,
    type: "POST",
    data: fd,
    processData: false,

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/motors-car-dealership-classified-listings/1.4.109/assets/js/frontend/add_a_car.js /home/deploy/wp-safety.org/data/plugin-versions/motors-car-dealership-classified-listings/1.4.110/assets/js/frontend/add_a_car.js
--- /home/deploy/wp-safety.org/data/plugin-versions/motors-car-dealership-classified-listings/1.4.109/assets/js/frontend/add_a_car.js	2024-08-02 11:19:00.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/motors-car-dealership-classified-listings/1.4.110/assets/js/frontend/add_a_car.js	2026-05-28 16:12:22.000000000 +0000
@@ -277,6 +277,7 @@
                                 }
 
                                 fd.append('action', 'stm_ajax_add_a_car_media');
+                                fd.append('security', stm_security_nonce);
                                 fd.append('post_id', data.post_id);
 
                                 $.ajax({
@@ -311,4 +312,4 @@
         });
     });
 
-})(jQuery);
\ No newline at end of file
+})(jQuery);
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/motors-car-dealership-classified-listings/1.4.109/assets/js/frontend/app-ajax.js /home/deploy/wp-safety.org/data/plugin-versions/motors-car-dealership-classified-listings/1.4.110/assets/js/frontend/app-ajax.js
--- /home/deploy/wp-safety.org/data/plugin-versions/motors-car-dealership-classified-listings/1.4.109/assets/js/frontend/app-ajax.js	2025-07-17 13:09:20.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/motors-car-dealership-classified-listings/1.4.110/assets/js/frontend/app-ajax.js	2026-05-28 16:12:22.000000000 +0000
@@ -5,14 +5,13 @@
         var thisBtn = $(this);
 
         var carId = $(this).data('id');
-        var price = $(this).data('price');
 
         $.ajax({
             url: ajaxurl,
             type: "POST",
             dataType: 'json',
             context: this,
-            data: 'car_id=' + carId + '&price=' + price + '&action=stm_ajax_buy_car_online&security=' + stm_security_nonce,
+            data: 'car_id=' + carId + '&action=stm_ajax_buy_car_online&security=' + stm_security_nonce,
             beforeSend: function () {
                 thisBtn.addClass('buy-online-load');
             },

Exploit Outline

1. Identify the vulnerable AJAX endpoint at `/wp-admin/admin-ajax.php?action=wpcfto_generate_pages` which is used by the plugin for generating dealership pages. 2. Note that the backend handler for this action does not invoke `check_ajax_referer` or `check_admin_referer` and only requires a JSON payload. 3. Create a malicious HTML form or JavaScript payload that targets this endpoint with a POST request. 4. Craft the payload body as a JSON object containing a 'pages' array, defining arbitrary titles and content for new WordPress pages. 5. Trick an authenticated site administrator into visiting a page controlled by the attacker, triggering the CSRF payload. 6. The browser will automatically send the administrator's authentication cookies with the request, successfully bypassing authentication while bypassing the non-existent nonce check. 7. Verify the exploit by checking the WordPress database for the newly created unauthorized pages.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.