Motors – Car Dealership & Classified Listings Plugin <= 1.4.109 - Missing Authorization
Description
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.4.109. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.4.109What Changed in the Fix
Changes introduced in v1.4.110
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-54828 ## 1. Vulnerability Summary The **Motors – Car Dealership & Classified Listings Plugin** (versions <= 1.4.109) contains a **Missing Authorization** vulnerability. Specifically, the plugin registers administrative AJAX actions intended for site setup and…
Show full research plan
Exploitation Research Plan - CVE-2026-54828
1. Vulnerability Summary
The Motors – Car Dealership & Classified Listings Plugin (versions <= 1.4.109) contains a Missing Authorization vulnerability. Specifically, the plugin registers administrative AJAX actions intended for site setup and page generation but fails to implement proper capability checks (e.g., current_user_can('manage_options')).
The most likely candidate for this vulnerability is the wpcfto_generate_pages action, used by the plugin's "Page Generator" feature. Based on the provided source code in includes/admin/page_generator/js/page_generator.js, this action is called via a POST request with a JSON payload and, crucially, appears to lack both a capability check and a nonce verification in its handler, allowing unauthenticated attackers to trigger the generation of multiple WordPress pages.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
wpcfto_generate_pages - HTTP Method:
POST - Payload Format: JSON (sent as the raw POST body)
- Parameters:
action:wpcfto_generate_pages(passed in the query string or body)POST Body: A JSON object representing thefield_data(pages to be generated).
- Authentication: None (Unauthenticated).
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.