CVE-2026-54828

Motors – Car Dealership & Classified Listings Plugin <= 1.4.109 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.4.110
Patched in
7d
Time to patch

Description

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.4.109. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.4.109
PublishedJune 17, 2026
Last updatedJune 23, 2026

What Changed in the Fix

Changes introduced in v1.4.110

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-54828 ## 1. Vulnerability Summary The **Motors – Car Dealership & Classified Listings Plugin** (versions <= 1.4.109) contains a **Missing Authorization** vulnerability. Specifically, the plugin registers administrative AJAX actions intended for site setup and…

Show full research plan

Exploitation Research Plan - CVE-2026-54828

1. Vulnerability Summary

The Motors – Car Dealership & Classified Listings Plugin (versions <= 1.4.109) contains a Missing Authorization vulnerability. Specifically, the plugin registers administrative AJAX actions intended for site setup and page generation but fails to implement proper capability checks (e.g., current_user_can('manage_options')).

The most likely candidate for this vulnerability is the wpcfto_generate_pages action, used by the plugin's "Page Generator" feature. Based on the provided source code in includes/admin/page_generator/js/page_generator.js, this action is called via a POST request with a JSON payload and, crucially, appears to lack both a capability check and a nonce verification in its handler, allowing unauthenticated attackers to trigger the generation of multiple WordPress pages.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: wpcfto_generate_pages
  • HTTP Method: POST
  • Payload Format: JSON (sent as the raw POST body)
  • Parameters:
    • action: wpcfto_generate_pages (passed in the query string or body)
    • POST Body: A JSON object representing the field_data (pages to be generated).
  • Authentication: None (Unauthenticated).

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.