CVE-2025-2807

Name of the Vulnerable Software and Affected Versions: Motors – Car Dealership & Classified Listings Plugin versions 1.4.64 and earlier

Description: The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary plugin installations due to a missing capability check in the mvl setup wizard install plugin() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins on the affected site's server, which may make remote code execution possible.

Recommendations: For Motors – Car Dealership & Classified Listings Plugin versions 1.4.64 and earlier, consider disabling the mvl setup wizard install plugin() function until a patch is available to prevent arbitrary plugin installations. Restrict access to the plugin installation feature to minimize the risk of exploitation. Avoid using the plugin's installation functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.