{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-2807", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-25T22:04:46.455Z", "datePublished": "2025-04-08T09:21:18.881Z", "dateUpdated": "2026-04-08T17:00:54.452Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:54.452Z"}, "affected": [{"vendor": "stylemix", "product": "Motors \u2013 Car Dealership & Classified Listings Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4.64", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Motors \u2013 Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary plugin installations due to a missing capability check in the mvl_setup_wizard_install_plugin() function in all versions up to, and including, 1.4.64. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins on the affected site's server which may make remote code execution possible."}], "title": "Motors \u2013 Car Dealership & Classified Listings Plugin <= 1.4.64 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/733f7666-468a-455c-a953-3d8946940f13?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3262748/motors-car-dealership-classified-listings/trunk/includes/admin/setup-wizard/includes/ajax_actions.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "timeline": [{"time": "2025-04-07T20:33:10.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-08T13:09:06.484567Z", "id": "CVE-2025-2807", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-08T13:09:19.386Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2807", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-08T13:09:06.484567Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-08T13:09:13.187Z"}}], "cna": {"title": "Motors \u2013 Car Dealership & Classified Listings Plugin <= 1.4.64 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation", "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "stylemix", "product": "Motors \u2013 Car Dealership & Classified Listings Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.4.64"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-07T20:33:10.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/733f7666-468a-455c-a953-3d8946940f13?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3262748/motors-car-dealership-classified-listings/trunk/includes/admin/setup-wizard/includes/ajax_actions.php"}], "descriptions": [{"lang": "en", "value": "The Motors \u2013 Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary plugin installations due to a missing capability check in the mvl_setup_wizard_install_plugin() function in all versions up to, and including, 1.4.64. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins on the affected site's server which may make remote code execution possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:54.452Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2807", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:00:54.452Z", "dateReserved": "2025-03-25T22:04:46.455Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-08T09:21:18.881Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:stylemixthemes:motors_-_car_dealer\\,_classifieds_\\&_listing:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "FF6CF3E1-E2CF-46F4-95AA-AFECB378E202", "versionEndExcluding": "1.4.65", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Motors \u2013 Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary plugin installations due to a missing capability check in the mvl_setup_wizard_install_plugin() function in all versions up to, and including, 1.4.64. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins on the affected site's server which may make remote code execution possible."}, {"lang": "es", "value": "El complemento Motors \u2013 Car Dealership &amp; Classified Listings Plugin para WordPress es vulnerable a la instalaci\u00f3n de complementos arbitrarios debido a una falta de comprobaci\u00f3n de capacidad en la funci\u00f3n mvl_setup_wizard_install_plugin() en todas las versiones hasta la 1.4.64 incluida. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, instalen y activen complementos arbitrarios en el servidor del sitio afectado, lo que podr\u00eda posibilitar la ejecuci\u00f3n remota de c\u00f3digo."}], "id": "CVE-2025-2807", "lastModified": "2025-08-08T20:02:34.773", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-04-08T10:15:16.780", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3262748/motors-car-dealership-classified-listings/trunk/includes/admin/setup-wizard/includes/ajax_actions.php"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/733f7666-468a-455c-a953-3d8946940f13?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T21:24:11.473815+00:00", "value": {"mitigation_remediation": ["Upgrade the Motors \u2013 Car Dealership & Classified Listings Plugin to version 1.4.65 or newer to eliminate the missing capability check", "If an upgrade cannot be performed immediately, restrict the capability to install plugins by editing user roles so that only administrators retain this right", "After installing the patched version, audit the site's user roles to verify that no unintended users have plugin installation privileges", "Continuously monitor WordPress error logs and audit trails for any unauthorized plugin installation attempts"], "summary": {"action": "Upgrade", "impact": "Arbitrary Plugin Installation leading to potential remote code execution"}, "threat_synthesis": {"affected_systems": "All WordPress sites running the Motors \u2013 Car Dealership & Classified Listings Plugin version 1.4.64 or earlier are affected. The issue was discovered in the setup wizard\u2019s AJAX action handler and is present in all releases up to and including 1.4.64.", "description_and_impact": "The vulnerable function in the Motors \u2013 Car Dealership & Classified Listings Plugin allows authenticated users with Subscriber-level access or higher to install and activate any WordPress plugin. Because the code does not verify that the user possesses the capability to manage plugins, an attacker can bootstrap malicious plugin code onto the site. The presence of arbitrary code in a plugin can grant the attacker full control over the site\u2019s filesystem and execution environment, potentially enabling remote code execution.", "risk_and_exploitability": "The CVSS score of 8.8 reflects a high severity. The EPSS score is < 1%, indicating that exploitation is currently unlikely, and the vulnerability is not listed in CISA KEV. The attack requires authentication as a Subscriber or higher, but because the capability check is omitted, an attacker only needs to be a logged\u2011in user, making the vulnerability relatively easy to exploit in a compromised or widely accessible site."}}}}, "created": "2025-07-13T11:21:38.144729+00:00", "updated": "2026-04-21T21:30:45.744615+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}