PT-2026-39982 · WordPress · Motors – Car Dealership & Classified Listings Plugin
Shrikant Bhosale
·
Published
2026-05-12
·
Updated
2026-05-12
·
CVE-2026-1934
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Motors – Car Dealership & Classified Listings versions prior to 1.4.104
Description
The plugin is subject to a payment bypass due to insecure user meta updates. The
stm save user extra fields() function updates sensitive user meta fields from POST data without verifying if the user has the necessary permissions to modify those specific fields. Because the function hooks into the 'personal options update' action and only verifies if a user can edit their own profile, authenticated attackers with Subscriber-level access or higher can modify the stm payment status variable to 'completed'. This allows them to bypass PayPal payment verification and gain unauthorized access to paid Dealer membership features.Recommendations
Update the plugin to a version later than 1.4.103.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Motors – Car Dealership & Classified Listings Plugin