PT-2026-39982 · WordPress · Motors – Car Dealership & Classified Listings Plugin

Shrikant Bhosale

·

Published

2026-05-12

·

Updated

2026-05-12

·

CVE-2026-1934

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions Motors – Car Dealership & Classified Listings versions prior to 1.4.104
Description The plugin is subject to a payment bypass due to insecure user meta updates. The stm save user extra fields() function updates sensitive user meta fields from POST data without verifying if the user has the necessary permissions to modify those specific fields. Because the function hooks into the 'personal options update' action and only verifies if a user can edit their own profile, authenticated attackers with Subscriber-level access or higher can modify the stm payment status variable to 'completed'. This allows them to bypass PayPal payment verification and gain unauthorized access to paid Dealer membership features.
Recommendations Update the plugin to a version later than 1.4.103.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-1934

Affected Products

Motors – Car Dealership & Classified Listings Plugin