[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fzT4lYNOImV7ZtjLoDigT1CBKqPcfQfuv7Iu3oZkNMsI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-39515","motors-car-dealership-classified-listings-plugin-missing-authorization","Motors – Car Dealership & Classified Listings Plugin \u003C 1.4.107 - Missing Authorization","The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to 1.4.107. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","motors-car-dealership-classified-listings",null,"\u003C1.4.107","1.4.107","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-21 00:00:00","2026-04-30 14:57:53",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F60693832-ff40-4173-95d9-822630e3403e?source=api-prod",10,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Ffrontend\u002Finventory.css","assets\u002Fcss\u002Fnuxy\u002Fmotors-vl-nuxy-styles.css","assets\u002Fcss\u002Fstyle.css","assets\u002Fjs\u002Ffrontend\u002Finit.js","assets\u002Fjs\u002Flisting-manager\u002Flisting-manager-features.js","assets\u002Fjs\u002Flisting-manager\u002Flisting-manager-options.js","assets\u002Fjs\u002Flisting-manager\u002Flisting-manager.js","assets\u002Fjs\u002Fvehicles-listing.js","researched",false,3,"This plan targets a missing authorization vulnerability in the **Motors – Car Dealership & Classified Listings Plugin** (CVE-2026-39515). The vulnerability allows authenticated users with Subscriber-level access to perform unauthorized actions, likely related to the \"Listing Manager\" functionality used to handle car inventory features and options.\n\n### 1. Vulnerability Summary\nThe plugin implements a \"Listing Manager\" interface that handles car inventory attributes via AJAX. Several AJAX actions, specifically `listing_manager_save_form`, appear to lack adequate capability checks (`current_user_can`) or ownership checks (ensuring the user owns the `listing_id` being modified). This allows a Subscriber to modify car listing data or taxonomy terms (features) that should be restricted to listing owners or administrators.\n\n### 2. Attack Vector Analysis\n*   **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action**: `listing_manager_save_form` (and potentially `listing_manager_get_form`)\n*   **Authentication**: Required (Subscriber level or above).\n*   **Payload Parameters**:\n    *   `action`: `listing_manager_save_form`\n    *   `nonce`: A valid security nonce (localized in the Listing Manager scripts).\n    *   `listing_id`: The ID of a vehicle listing to modify (Target: an IDOR opportunity).\n    *   `listing_manager_page_id`: `features` or `option`.\n    *   `template`: `term-features`.\n    *   `term_name`: A new feature name to inject into the system.\n    *   `order`: (Optional) Array of field slugs and orders.\n\n### 3. Code Flow\n1.  **Entry Point**: The AJAX action `listing_manager_save_form` is triggered via POST.\n2.  **JS Source**: `assets\u002Fjs\u002Flisting-manager\u002Flisting-manager-features.js` (lines 104-129) and `assets\u002Fjs\u002Flisting-manager\u002Flisting-manager-options.js`.\n3.  **Vulnerable Sink (PHP)**: The PHP handler for `listing_manager_save_form` (likely in an `includes\u002F` directory not fully provided, but referenced by JS) fails to verify that the `current_user_can('manage_options')` or that the current user is the `post_author` of the `listing_id`.\n4.  **Execution**: The handler processes the `term_name` or `data` and uses `wp_set_object_terms()` or `update_post_meta()` to save changes to the database.\n\n### 4. Nonce Acquisition Strategy\nThe Listing Manager scripts rely on nonces named `nonce` and `nonce_get_form`. These are localized via `wp_localize_script`.\n\n1.  **Identify Page**: The Listing Manager is active on the \"Add Car\" or \"Edit Car\" pages of the dealership dashboard.\n2.  **Create Setup**: Ensure the plugin is configured to allow users to add listings.\n3.  **Extraction**:\n    *   Log in as a Subscriber.\n    *   Navigate to the inventory management or \"Add Car\" page (e.g., `\u002F?page_id=[ID_of_add_car_page]`).\n    *   Use `browser_eval` to inspect the global scope. The variables are likely part of a localized object.\n    *   **Verified JS Identifiers**:\n        *   Object likely: `window.listingManager` or `window.mvl_listing_manager_vars`.\n        *   Key: `nonce` or `nonce_get_form`.\n    *   **Alternative**: The nonces might be directly in the global scope if localized incorrectly. Check `window.nonce`.\n\n### 5. Exploitation Strategy\nThe goal is to use a Subscriber account to add a new \"Feature\" term to an Administrator's car listing.\n\n1.  **Step 1: Setup Content**: Create a car listing as an Administrator. Note its `listing_id`.\n2.  **Step 2: Obtain Nonce**: Navigate to the dealership dashboard as a Subscriber and extract the `nonce` variable.\n3.  **Step 3: Execute Unauthorized Modification**:\n    *   Send a POST request to `admin-ajax.php`.\n    *   Target the Administrator's `listing_id`.\n    *   **Request Details**:\n        ```http\n        POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n        Content-Type: application\u002Fx-www-form-urlencoded\n\n        action=listing_manager_save_form&nonce=[EXTRACTED_NONCE]&listing_id=[ADMIN_LISTING_ID]&template=term-features&listing_manager_page_id=features&term_name=VULN_CHECK_FEATURE\n        ```\n4.  **Step 4: Verify Success**: Check if a new taxonomy term \"VULN_CHECK_FEATURE\" was created and associated with the Administrator's listing.\n\n### 6. Test Data Setup\n1.  **Administrator**: Default admin.\n2.  **Car Listing**: Use WP-CLI to create a listing.\n    ```bash\n    wp post create --post_type=listings --post_title=\"Admin Car\" --post_status=publish --post_author=1\n    ```\n    *(Note: post_type might be `stm-listings` or `listings` depending on plugin config; check with `wp post-type list`).*\n3.  **Subscriber**:\n    ```bash\n    wp user create attacker attacker@example.com --role=subscriber --user_pass=password\n    ```\n4.  **Plugin Config**: Ensure the \"Listing Manager\" is active in Motors settings.\n\n### 7. Expected Results\n*   The AJAX response should return `{\"success\":true, \"data\": {...}}`.\n*   The system will create a new term in the `stm_features` (or similar) taxonomy.\n*   The Administrator's listing will now have the unauthorized feature associated with it.\n\n### 8. Verification Steps\n1.  **Check Metadata\u002FTerms via WP-CLI**:\n    ```bash\n    # List terms for the Admin's car ID\n    wp post term list [ADMIN_LISTING_ID] stm_features\n    ```\n2.  **Check for Global Term Creation**:\n    ```bash\n    wp term list stm_features --search=VULN_CHECK_FEATURE\n    ```\n\n### 9. Alternative Approaches\nIf `listing_manager_save_form` is not accessible, target the user profile update handler which also uses a nonce and lacks specific auth checks:\n*   **Action**: `stm_listings_ajax_save_user_data`\n*   **Nonce**: `stm_listings_user_data_nonce` (found in `assets\u002Fjs\u002Ffrontend\u002Finit.js`).\n*   **Payload**: Attempt to send a `user_id` parameter matching the Administrator's ID to perform an IDOR profile update.\n    ```http\n    POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n    Content-Type: multipart\u002Fform-data; boundary=----Exploit\n\n    ------Exploit\n    Content-Disposition: form-data; name=\"action\"\n\n    stm_listings_ajax_save_user_data\n    ------Exploit\n    Content-Disposition: form-data; name=\"security\"\n\n    [stm_listings_user_data_nonce]\n    ------Exploit\n    Content-Disposition: form-data; name=\"user_id\"\n\n    1\n    ------Exploit\n    Content-Disposition: form-data; name=\"first_name\"\n\n    PWNED\n    ------Exploit--\n    ```","The Motors – Car Dealership & Classified Listings Plugin for WordPress is vulnerable to unauthorized data modification due to missing capability and ownership checks in AJAX handlers such as listing_manager_save_form. This allows authenticated attackers with subscriber-level access to modify vehicle listing attributes (like features or taxonomy terms) belonging to other users via Insecure Direct Object Reference (IDOR).","\u002F\u002F assets\u002Fjs\u002Flisting-manager\u002Flisting-manager-features.js (lines 118-129)\n$.ajax({\n    url: ajaxurl,\n    type: 'POST',\n    data: {\n        action: 'listing_manager_save_form',\n        nonce: nonce,\n        template: 'term-features',\n        listing_manager_page_id: 'features',\n        term_name: newValue\n    },\n---\n\u002F\u002F assets\u002Fjs\u002Flisting-manager\u002Flisting-manager-options.js (lines 280-286)\nreturn {\n    action: 'listing_manager_get_form',\n    nonce: nonce_get_form,\n    listing_id: listingId,\n    listing_manager_page_id: 'option'\n};","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmotors-car-dealership-classified-listings\u002F1.4.106\u002Fassets\u002Fcss\u002Ffrontend\u002Finventory.css \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmotors-car-dealership-classified-listings\u002F1.4.107\u002Fassets\u002Fcss\u002Ffrontend\u002Finventory.css\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmotors-car-dealership-classified-listings\u002F1.4.106\u002Fassets\u002Fcss\u002Ffrontend\u002Finventory.css\t2025-07-10 13:17:18.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmotors-car-dealership-classified-listings\u002F1.4.107\u002Fassets\u002Fcss\u002Ffrontend\u002Finventory.css\t2026-03-31 13:07:30.000000000 +0000\n@@ -40,7 +40,8 @@\n     letter-spacing: -0.3px;\n }\n \n-.archive-listing-page input[type=text], .archive-listing-page input[type=search] {\n+.archive-listing-page input[type=text],\n+.archive-listing-page input[type=search] {\n     height: 40px;\n     line-height: 40px;\n }\n@@ -201,6 +202,7 @@\n     color: var(--motors-filter-field-text-color);\n     border: 1px solid var(--motors-filter-field-link-color);\n     box-shadow: none;\n+    justify-content: center;\n }\n \n .archive-listing-page .sidebar-action-units .button:hover {\n@@ -238,7 +240,8 @@\n     font-size: 14px;\n }\n \n-.archive-listing-page_content .stm-sort-by-options .stm-select-sorting .select2 .select2-selection--single, .archive-listing-page_content .stm-sort-by-options .stm-select-sorting .select2 .select2-selection__rendered {\n+.archive-listing-page_content .stm-sort-by-options .stm-select-sorting .select2 .select2-selection--single,\n+.archive-listing-page_content .stm-sort-by-options .stm-select-sorting .select2 .select2-selection__rendered {\n     height: 32px;\n     line-height: 32px;\n }\n@@ -291,6 +294,7 @@\n .archive-listing-page .sidebar-entry-header {\n     display: flex;\n     align-items: center;\n+    padding: 26px 22px;\n }\n \n .archive-listing-page .sidebar-entry-header i {\n... (truncated)","The exploit targets the AJAX endpoint \u002Fwp-admin\u002Fadmin-ajax.php. An attacker with a Subscriber-level account must first obtain a valid security nonce (e.g., 'nonce' or 'nonce_get_form') localized in the Listing Manager's JavaScript environment on the dashboard. By crafting a POST request with the 'listing_manager_save_form' action and providing a target 'listing_id' belonging to an Administrator, the attacker can bypass authorization checks to modify that listing's metadata, such as injecting new taxonomy terms (features) or altering listing options. The vulnerability exists because the server-side handler fails to verify that the current user has the necessary permissions or is the owner of the specified listing ID.","gemini-3-flash-preview","2026-05-04 19:15:58","2026-05-04 19:16:49",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.4.106","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmotors-car-dealership-classified-listings\u002Ftags\u002F1.4.106","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmotors-car-dealership-classified-listings.1.4.106.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmotors-car-dealership-classified-listings\u002Ftags\u002F1.4.107","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmotors-car-dealership-classified-listings.1.4.107.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmotors-car-dealership-classified-listings\u002Ftags"]