[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fp2l8FBuXuBqaxBrpgoZxu1XBqGrLcbrE-2BojNXvU98":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-7859","motors-car-dealership-classified-listings-plugin-cross-site-request-forgery","Motors – Car Dealership & Classified Listings Plugin \u003C 1.4.110 - Cross-Site Request Forgery","The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to 1.4.110. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","motors-car-dealership-classified-listings",null,"\u003C1.4.110","1.4.110","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-06-22 00:00:00","2026-06-23 15:47:43",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6811abba-69a6-49c9-87e6-178b6788890d?source=api-prod",2,[22,23,24,25,26,27,28,29],"assets\u002Fjs\u002Ffrontend\u002Fadd_a_car.js","assets\u002Fjs\u002Ffrontend\u002Fapp-ajax.js","includes\u002Factions.php","includes\u002Fadmin\u002Fpage_generator\u002Fjs\u002Fpage_generator.js","includes\u002Fclass\u002FUser\u002FModel\u002FUserModel.php","includes\u002Fclass\u002FUser\u002FUserController.php","includes\u002Fhelpers.php","includes\u002Fnuxy\u002Fcustom-fields\u002Fjs_components\u002Fnuxy-radio.js","researched",false,3,"# Exploitation Research Plan - CVE-2026-7859 (Motors Plugin CSRF)\n\n## 1. Vulnerability Summary\nThe **Motors – Car Dealership & Classified Listings Plugin** for WordPress (versions \u003C 1.4.110) is vulnerable to **Cross-Site Request Forgery (CSRF)**. The vulnerability exists because several AJAX endpoints, specifically those related to page generation and dealership management, fail to implement or correctly validate WordPress nonces. This allows an unauthenticated attacker to trick a site administrator into performing sensitive actions, such as generating arbitrary pages or modifying dealership listings, by visiting a malicious link.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `wpcfto_generate_pages` (identified in `includes\u002Fadmin\u002Fpage_generator\u002Fjs\u002Fpage_generator.js`)\n- **HTTP Method:** `POST`\n- **Vulnerable Parameter:** The entire request body (JSON payload) lacks a nonce\u002Fsecurity token.\n- **Authentication Level:** Administrator (victim must be logged in).\n- **Preconditions:** The attacker must trick the administrator into executing a request to the vulnerable endpoint.\n\n## 3. Code Flow\n1. **Frontend Registration (JS):** In `includes\u002Fadmin\u002Fpage_generator\u002Fjs\u002Fpage_generator.js`, the Vue component `mvl_page_generator` defines a method `generatePages()`.\n2. **AJAX Call:** The method executes `this.$http.post(ajaxurl + '?action=wpcfto_generate_pages', JSON.stringify(vm.field_data))`. \n3. **Observation:** Note that **no nonce variable** (e.g., `_wpnonce` or `security`) is passed in the URL parameters or the JSON body.\n4. **Backend Handler (PHP):** The `wpcfto_generate_pages` action is registered (likely via `wp_ajax_wpcfto_generate_pages`). Based on the JS behavior, the handler fails to call `check_admin_referer()` or `check_ajax_referer()`, allowing requests without a valid security token to proceed.\n5. **Sink:** The handler processes `vm.field_data` to generate WordPress pages, leading to unauthorized content creation.\n\n## 4. Nonce Acquisition Strategy\nBased on the source file `includes\u002Fadmin\u002Fpage_generator\u002Fjs\u002Fpage_generator.js`, the `wpcfto_generate_pages` action **does not require a nonce**. The JavaScript sends a raw JSON payload to the `ajaxurl` with only the `action` parameter in the query string.\n\nIf a different action like `stm_ajax_buy_car_online` (from `app-ajax.js`) is targeted, it uses `stm_security_nonce`. To obtain this nonce:\n1. Identify a page where the dealership listings are displayed (common on the homepage or `\u002Finventory\u002F`).\n2. Use `browser_navigate` to that page.\n3. Extract the nonce via `browser_eval(\"window.stm_security_nonce\")`.\n\nHowever, for the primary `wpcfto_generate_pages` exploit, **no nonce is needed**.\n\n## 5. Exploitation Strategy\nWe will forge a request to the `wpcfto_generate_pages` endpoint to create a dummy page, proving unauthorized action.\n\n### HTTP Request (via `http_request` tool)\n- **Method:** `POST`\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php?action=wpcfto_generate_pages`\n- **Headers:**\n  - `Content-Type: application\u002Fjson`\n- **Body:**\n```json\n{\n    \"pages\": {\n        \"vulnerability_check\": {\n            \"title\": \"CSRF Vulnerability Proven\",\n            \"content\": \"This page was generated via an unauthorized CSRF request in CVE-2026-7859.\"\n        }\n    }\n}\n```\n\n## 6. Test Data Setup\n1. Ensure the Motors plugin is active (version \u003C 1.4.110).\n2. Create an Administrator user and log in (the execution agent will use the admin session context).\n3. No specific listings are required for the `wpcfto_generate_pages` action, as it targets the page generation utility.\n\n## 7. Expected Results\n- The server should return a `200 OK` or `201 Created` status code.\n- The response body should indicate success (e.g., `{\"success\":true}` or a simple `0` if the handler returns nothing but executes).\n- A new page titled \"CSRF Vulnerability Proven\" should be created in the WordPress database.\n\n## 8. Verification Steps\n1. **Check Pages via WP-CLI:**\n   ```bash\n   wp post list --post_type=page --post_status=publish --field=post_title\n   ```\n2. **Verify Title:** Confirm \"CSRF Vulnerability Proven\" appears in the list.\n3. **Check Plugin Version:**\n   ```bash\n   wp plugin get motors-car-dealership-classified-listings --field=version\n   ```\n\n## 9. Alternative Approaches\nIf `wpcfto_generate_pages` is restricted by server-side `Content-Type` checks that block standard CSRF, target the `listings-sold` action in `includes\u002Factions.php`.\n\n**Alternative Target:** `listings-sold`\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002F?ajax_action=listings-sold`\n- **Note:** `includes\u002Factions.php` calls `check_ajax_referer( 'stm_security_nonce', 'security' );`.\n- **Bypass Check:** Verify if `stm_security_nonce` is localized on public pages. If it is, an unauthenticated attacker can steal the nonce from the source and use it to forge a request on behalf of an admin to mark all cars as sold, effectively sabotaging the dealership's inventory display.\n- **Acquisition:** `browser_eval(\"stm_security_nonce\")`.\n- **Request:** `POST \u002F?ajax_action=listings-sold&security=[STOLEN_NONCE]`.","The Motors plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) because several AJAX actions, such as page generation and car media management, lack proper nonce validation. This allow unauthenticated attackers to perform unauthorized actions, like creating arbitrary pages or modifying listings, by tricking an authenticated administrator into interacting with a malicious link or script.","\u002F\u002F includes\u002Fadmin\u002Fpage_generator\u002Fjs\u002Fpage_generator.js (lines 14-20)\ngeneratePages: function generatePages() {\n  var vm = this;\n  if (vm.loading) return false;\n  vm.loading = true;\n  this.$http.post(ajaxurl + '?action=wpcfto_generate_pages', JSON.stringify(vm.field_data)).then(function (data) {\n    location.reload();\n    vm.loading = false;\n  });\n}\n\n---\n\n\u002F\u002F assets\u002Fjs\u002Ffrontend\u002Fadd_a_car.js (lines 278-285)\nfd.append('action', 'stm_ajax_add_a_car_media');\nfd.append('post_id', data.post_id);\n\n$.ajax({\n    url: ajaxurl,\n    type: \"POST\",\n    data: fd,\n    processData: false,","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmotors-car-dealership-classified-listings\u002F1.4.109\u002Fassets\u002Fjs\u002Ffrontend\u002Fadd_a_car.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmotors-car-dealership-classified-listings\u002F1.4.110\u002Fassets\u002Fjs\u002Ffrontend\u002Fadd_a_car.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmotors-car-dealership-classified-listings\u002F1.4.109\u002Fassets\u002Fjs\u002Ffrontend\u002Fadd_a_car.js\t2024-08-02 11:19:00.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmotors-car-dealership-classified-listings\u002F1.4.110\u002Fassets\u002Fjs\u002Ffrontend\u002Fadd_a_car.js\t2026-05-28 16:12:22.000000000 +0000\n@@ -277,6 +277,7 @@\n                                 }\n \n                                 fd.append('action', 'stm_ajax_add_a_car_media');\n+                                fd.append('security', stm_security_nonce);\n                                 fd.append('post_id', data.post_id);\n \n                                 $.ajax({\n@@ -311,4 +312,4 @@\n         });\n     });\n \n-})(jQuery);\n\\ No newline at end of file\n+})(jQuery);\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmotors-car-dealership-classified-listings\u002F1.4.109\u002Fassets\u002Fjs\u002Ffrontend\u002Fapp-ajax.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmotors-car-dealership-classified-listings\u002F1.4.110\u002Fassets\u002Fjs\u002Ffrontend\u002Fapp-ajax.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmotors-car-dealership-classified-listings\u002F1.4.109\u002Fassets\u002Fjs\u002Ffrontend\u002Fapp-ajax.js\t2025-07-17 13:09:20.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmotors-car-dealership-classified-listings\u002F1.4.110\u002Fassets\u002Fjs\u002Ffrontend\u002Fapp-ajax.js\t2026-05-28 16:12:22.000000000 +0000\n@@ -5,14 +5,13 @@\n         var thisBtn = $(this);\n \n         var carId = $(this).data('id');\n-        var price = $(this).data('price');\n \n         $.ajax({\n             url: ajaxurl,\n             type: \"POST\",\n             dataType: 'json',\n             context: this,\n-            data: 'car_id=' + carId + '&price=' + price + '&action=stm_ajax_buy_car_online&security=' + stm_security_nonce,\n+            data: 'car_id=' + carId + '&action=stm_ajax_buy_car_online&security=' + stm_security_nonce,\n             beforeSend: function () {\n                 thisBtn.addClass('buy-online-load');\n             },","1. Identify the vulnerable AJAX endpoint at `\u002Fwp-admin\u002Fadmin-ajax.php?action=wpcfto_generate_pages` which is used by the plugin for generating dealership pages.\n2. Note that the backend handler for this action does not invoke `check_ajax_referer` or `check_admin_referer` and only requires a JSON payload.\n3. Create a malicious HTML form or JavaScript payload that targets this endpoint with a POST request.\n4. Craft the payload body as a JSON object containing a 'pages' array, defining arbitrary titles and content for new WordPress pages.\n5. Trick an authenticated site administrator into visiting a page controlled by the attacker, triggering the CSRF payload.\n6. The browser will automatically send the administrator's authentication cookies with the request, successfully bypassing authentication while bypassing the non-existent nonce check.\n7. Verify the exploit by checking the WordPress database for the newly created unauthorized pages.","gemini-3-flash-preview","2026-06-25 19:56:57","2026-06-25 19:58:46",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.4.109","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmotors-car-dealership-classified-listings\u002Ftags\u002F1.4.109","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmotors-car-dealership-classified-listings.1.4.109.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmotors-car-dealership-classified-listings\u002Ftags\u002F1.4.110","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmotors-car-dealership-classified-listings.1.4.110.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmotors-car-dealership-classified-listings\u002Ftags"]