[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f-kXAakjMza46CUL9dhXL_hQVDr-r0RIhiD82T8ylIqw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-54812","motors-car-dealership-classified-listings-plugin-unauthenticated-sql-injection","Motors – Car Dealership & Classified Listings Plugin \u003C= 1.4.109 - Unauthenticated SQL Injection","The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4.109 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","motors-car-dealership-classified-listings",null,"\u003C=1.4.109","1.4.110","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-06-17 00:00:00","2026-06-23 15:57:10",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3e0f0a0c-8ef8-419d-92bf-964166508ebc?source=api-prod",7,[22,23,24,25,26,27,28,29],"assets\u002Fjs\u002Ffrontend\u002Fadd_a_car.js","assets\u002Fjs\u002Ffrontend\u002Fapp-ajax.js","includes\u002Factions.php","includes\u002Fadmin\u002Fpage_generator\u002Fjs\u002Fpage_generator.js","includes\u002Fclass\u002FUser\u002FModel\u002FUserModel.php","includes\u002Fclass\u002FUser\u002FUserController.php","includes\u002Fhelpers.php","includes\u002Fnuxy\u002Fcustom-fields\u002Fjs_components\u002Fnuxy-radio.js","researched",false,3,"_filtered_users`:\n      `$distance_order` is interpolated directly.\n      Where does `$distance_order` come from?\n      `UserController::get_dealers` calls:\n      `$model->order_by_location( $lat )`\n      If `order_by_location` returns a string containing `$lat` and `$lat` isn't escaped...\n      But `lat` is checked with `floatval`.\n\n    - Let's look at the parameters in `stm_listings_template_actions` again.\n      Wait, look at this:\n      `$action = apply_filters( 'stm_listings_input', null, 'ajax_action' );`\n      The `stm_listings_input` filter is likely the source.\n      In many Stylemix plugins, `stm_listings_input` returns `$_GET[$key]` or `$_POST[$key]`.\n      If the code uses `stm_listings_input(null, 'some_param')` and injects it...\n\n    - Look at `includes\u002Factions.php` -> `listings-result`:\n      ```php\n      if ( stm_is_multilisting() && ! empty( $_GET['posttype'] ) && ... ) {\n          set_query_var( 'listings_type', $_GET['posttype'] );\n          HooksMultiListing::stm_listings_attributes_filter( array( 'slug' => $_GET['posttype'] ) );\n      }\n      ```","The Motors – Car Dealership & Classified Listings Plugin is vulnerable to unauthenticated SQL Injection via the 'stm_lat' and 'stm_lng' parameters. These values are used to calculate distances in dealer searches and are concatenated directly into SQL queries without proper sanitization or parameter binding, allowing attackers to extract sensitive data from the database.","\u002F\u002F includes\u002Fclass\u002FUser\u002FUserController.php\n\n$lat    = apply_filters( 'stm_listings_input', null, 'stm_lat' );\n$lng    = apply_filters( 'stm_listings_input', null, 'stm_lng' );\n$radius = apply_filters( 'motors_vl_get_nuxy_mod', '', 'distance_search' );\n$radius = ( ! empty( $radius ) ) ? $radius : 5000;\n\nif ( empty( $left_join ) && ! empty( floatval( $lat ) ) && ! empty( floatval( $lng ) ) ) {\n    $include_users = $model->get_filtered_users_by_location( $model->fields_by_location( $lat, $lng ), $model->join_by_location( $lat ), $model->having_by_location( $lat, $radius ), $model->order_by_location( $lat ) );\n} \n\n---\n\n\u002F\u002F includes\u002Fclass\u002FUser\u002FModel\u002FUserModel.php\n\npublic function fields_by_location( $lat, $lng ) {\n    if ( empty( $lat ) ) {\n        return '';\n    }\n    $formula = \"6378.137 * ACOS(COS(RADIANS(stm_lat_prefix.meta_value)) \n        * COS(RADIANS($lat)) \n        * COS(RADIANS(stm_lng_prefix.meta_value) - RADIANS($lng)) + SIN(RADIANS(stm_lat_prefix.meta_value)) \n        * SIN(RADIANS($lat))) AS distance\";\n\n    return \", $formula\";\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmotors-car-dealership-classified-listings\u002F1.4.109\u002Fincludes\u002Fclass\u002FUser\u002FModel\u002FUserModel.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmotors-car-dealership-classified-listings\u002F1.4.110\u002Fincludes\u002Fclass\u002FUser\u002FModel\u002FUserModel.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmotors-car-dealership-classified-listings\u002F1.4.109\u002Fincludes\u002Fclass\u002FUser\u002FModel\u002FUserModel.php\t2024-05-23 12:09:54.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmotors-car-dealership-classified-listings\u002F1.4.110\u002Fincludes\u002Fclass\u002FUser\u002FModel\u002FUserModel.php\t2026-05-28 16:12:22.000000000 +0000\n@@ -191,9 +191,13 @@\n \t}\n \n \tpublic function fields_by_location( $lat, $lng ) {\n-\t\tif ( empty( $lat ) ) {\n+\t\tif ( false === filter_var( $lat, FILTER_VALIDATE_FLOAT ) || false === filter_var( $lng, FILTER_VALIDATE_FLOAT ) ) {\n \t\t\treturn '';\n \t\t}\n+\n+\t\t$lat = (float) $lat;\n+\t\t$lng = (float) $lng;\n+\n \t\t$formula = \"6378.137 * ACOS(COS(RADIANS(stm_lat_prefix.meta_value)) \n \t\t\t* COS(RADIANS($lat)) \n \t\t\t* COS(RADIANS(stm_lng_prefix.meta_value) - RADIANS($lng)) + SIN(RADIANS(stm_lat_prefix.meta_value)) \n@@ -203,7 +207,7 @@\n \t}\n \n \tpublic function join_by_location( $lat ) {\n-\t\tif ( empty( $lat ) ) {\n+\t\tif ( false === filter_var( $lat, FILTER_VALIDATE_FLOAT ) ) {\n \t\t\treturn '';\n \t\t}\n \t\t$join  = \" JOIN $this->user_meta_table AS stm_lat_prefix ON (u.ID = stm_lat_prefix.user_id AND stm_lat_prefix.meta_key = 'stm_dealer_location_lat')\";\n@@ -213,15 +217,17 @@\n \t}\n \n \tpublic function having_by_location( $lat, $radius ) {\n-\t\tif ( empty( $lat ) ) {\n+\t\tif ( false === filter_var( $lat, FILTER_VALIDATE_FLOAT ) || false === filter_var( $radius, FILTER_VALIDATE_FLOAT ) ) {\n \t\t\treturn '';\n \t\t}\n \n+\t\t$radius = (float) $radius;\n+\n \t\treturn \"HAVING distance \u003C= $radius\";\n \t}\n \n \tpublic function order_by_location( $lat ) {\n-\t\tif ( empty( $lat ) ) {\n+\t\tif ( false === filter_var( $lat, FILTER_VALIDATE_FLOAT ) ) {\n \t\t\treturn '';\n \t\t}\n \n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmotors-car-dealership-classified-listings\u002F1.4.109\u002Fincludes\u002Fclass\u002FUser\u002FUserController.php\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmotors-car-dealership-classified-listings\u002F1.4.110\u002Fincludes\u002Fclass\u002FUser\u002FUserController.php\n@@ -64,12 +64,12 @@\n \t\t\t\t}\n \t\t\t}\n \n-\t\t\t$lat    = apply_filters( 'stm_listings_input', null, 'stm_lat' );\n-\t\t\t$lng    = apply_filters( 'stm_listings_input', null, 'stm_lng' );\n-\t\t\t$radius = apply_filters( 'motors_vl_get_nuxy_mod', '', 'distance_search' );\n-\t\t\t$radius = ( ! empty( $radius ) ) ? $radius : 5000;\n+\t\t\t$lat    = filter_var( apply_filters( 'stm_listings_input', null, 'stm_lat' ), FILTER_VALIDATE_FLOAT );\n+\t\t\t$lng    = filter_var( apply_filters( 'stm_listings_input', null, 'stm_lng' ), FILTER_VALIDATE_FLOAT );\n+\t\t\t$radius = filter_var( apply_filters( 'motors_vl_get_nuxy_mod', '', 'distance_search' ), FILTER_VALIDATE_FLOAT );\n+\t\t\t$radius = ( false !== $radius && $radius > 0 ) ? $radius : 5000;\n \n-\t\t\tif ( empty( $left_join ) && ! empty( floatval( $lat ) ) && ! empty( floatval( $lng ) ) ) {\n+\t\t\tif ( empty( $left_join ) && false !== $lat && false !== $lng ) {","The exploit targets the dealer listing functionality. An unauthenticated attacker can provide malicious SQL within the 'stm_lat' or 'stm_lng' query parameters. Although the plugin performs a loose check using `floatval()`, it passes the original string values to `UserModel` methods. These methods interpolate the strings directly into a complex SQL formula involving geographic coordinates. By crafting a payload like '1) [INJECTED SQL]', an attacker can break out of the `RADIANS()` function call and execute arbitrary SQL commands to exfiltrate data via error-based or time-based injection techniques.","gemini-3-flash-preview","2026-06-25 22:23:05","2026-06-25 22:24:40",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.4.109","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmotors-car-dealership-classified-listings\u002Ftags\u002F1.4.109","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmotors-car-dealership-classified-listings.1.4.109.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmotors-car-dealership-classified-listings\u002Ftags\u002F1.4.110","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmotors-car-dealership-classified-listings.1.4.110.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmotors-car-dealership-classified-listings\u002Ftags"]