CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5545 – Motors – Car Dealer, Classifieds & Listing <= 1.4.9 - Missing Authorization
https://notcve.org/view.php?id=CVE-2024-5545
The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the stm_edit_delete_user_car function in all versions up to, and including, 1.4.8. This makes it possible for unauthenticated attackers to unpublish arbitrary posts and pages. El complemento Motors – Car Dealer, Classifieds & Listing para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función stm_edit_delete_user_car en todas las versiones hasta la 1.4.8 incluida. Esto hace posible que atacantes no autenticados anulen la publicación de publicaciones y páginas arbitrarias. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3106579%40motors-car-dealership-classified-listings%2Ftrunk&old=3101090%40motors-car-dealership-classified-listings%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/62731e0e-8843-4f79-b887-c595fbefae26?source=cve • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46207 – WordPress Motors – Car Dealer & Classified Ads Plugin <= 1.4.6 is vulnerable to Server Side Request Forgery (SSRF)
https://notcve.org/view.php?id=CVE-2023-46207
Server-Side Request Forgery (SSRF) vulnerability in StylemixThemes Motors – Car Dealer, Classifieds & Listing.This issue affects Motors – Car Dealer, Classifieds & Listing: from n/a through 1.4.6. Vulnerabilidad de Server-Side Request Forgery (SSRF) en StylemixThemes Motors – Car Dealer, Classifieds & Listing. Este problema afecta a Motors – Car Dealer, Classifieds & Listing: desde n/a hasta 1.4.6. The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.6. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services. • https://patchstack.com/database/vulnerability/motors-car-dealership-classified-listings/wordpress-motors-car-dealer-classifieds-listing-plugin-1-4-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46208 – WordPress Motors – Car Dealer & Classified Ads Plugin <= 1.4.6 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-46208
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in StylemixThemes Motors – Car Dealer, Classifieds & Listing plugin <= 1.4.6 versions. Vulnerabilidad de Cross-Site Scripting (XSS) Reflejado no autenticado en el complemento StylemixThemes Motors de Car Dealer, Classifieds & Listing en versiones <= 1.4.6. The Motors – Car Dealer & Classified Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/motors-car-dealership-classified-listings/wordpress-motors-car-dealer-classifieds-listing-plugin-1-4-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38716 – WordPress Motors – Car Dealer & Classified Ads Plugin <= 1.4.4 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-38716
Cross-Site Request Forgery (CSRF) vulnerability in StylemixThemes Motors – Car Dealer, Classifieds & Listing plugin <= 1.4.4 versions. The Motors – Car Dealer & Classified Ads plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.5. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to perform unauthorized actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/motors-car-dealership-classified-listings/wordpress-motors-plugin-1-4-4-multiple-cross-site-request-forgery-csrf-vulnerabilities?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3989 – Motors - Car Dealer, Classifieds & Listing < 1.4.4 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2022-3989
The Motors WordPress plugin before 1.4.4 does not properly validate uploaded files for dangerous file types (such as .php) in an AJAX action, allowing an attacker to sign up on a victim's WordPress instance, upload a malicious PHP file and attempt to launch a brute-force attack to discover the uploaded payload. El complemento de WordPress Motors anterior a 1.4.4 no valida adecuadamente los archivos cargados para tipos de archivos peligrosos (como .php) en una acción AJAX, lo que permite a un atacante registrarse en la instancia de WordPress de una víctima, cargar un archivo PHP malicioso e intentar iniciar un ataque de fuerza bruta para descubrir el payload cargado. The Motors – Car Dealer, Classifieds & Listin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the stm_ajax_add_a_car_media function for a nopriv AJAX action in versions up to, and including, 1.4.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. • https://wpscan.com/vulnerability/1bd20329-f3a5-466d-81b0-e4ff0ca32091 • CWE-434: Unrestricted Upload of File with Dangerous Type •