{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3437", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-07T20:36:53.998Z", "datePublished": "2025-04-08T09:21:19.883Z", "dateUpdated": "2026-04-08T17:24:54.886Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:54.886Z"}, "affected": [{"vendor": "stylemix", "product": "Motors \u2013 Car Dealership & Classified Listings Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4.66", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Motors \u2013 Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in the ajax_actions.php file in all versions up to, and including, 1.4.66. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute several initial set-up actions."}], "title": "Motors \u2013 Car Dealership & Classified Listings Plugin <= 1.4.66 - Missing Authorization to Authenticated (Subscriber+) Wizard Set-up", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d0af6050-8602-4ed3-b017-c10aa023849b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3267930%40motors-car-dealership-classified-listings&new=3267930%40motors-car-dealership-classified-listings&sfp_email=&sfph_mail="}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3267930%40motors-car-dealership-classified-listings&new=3267930%40motors-car-dealership-classified-listings&sfp_email=&sfph_mail=#file2"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Chloe Chamberland"}], "timeline": [{"time": "2025-04-07T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-08T13:05:00.770126Z", "id": "CVE-2025-3437", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-08T13:05:15.170Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3437", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-08T13:05:00.770126Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-08T13:05:06.470Z"}}], "cna": {"title": "Motors \u2013 Car Dealership & Classified Listings Plugin <= 1.4.66 - Missing Authorization to Authenticated (Subscriber+) Wizard Set-up", "credits": [{"lang": "en", "type": "finder", "value": "Chloe Chamberland"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "stylemix", "product": "Motors \u2013 Car Dealership & Classified Listings Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.4.66"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-07T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d0af6050-8602-4ed3-b017-c10aa023849b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3267930%40motors-car-dealership-classified-listings&new=3267930%40motors-car-dealership-classified-listings&sfp_email=&sfph_mail="}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3267930%40motors-car-dealership-classified-listings&new=3267930%40motors-car-dealership-classified-listings&sfp_email=&sfph_mail=#file2"}], "descriptions": [{"lang": "en", "value": "The Motors \u2013 Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in the ajax_actions.php file in all versions up to, and including, 1.4.66. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute several initial set-up actions."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:54.886Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3437", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:24:54.886Z", "dateReserved": "2025-04-07T20:36:53.998Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-08T09:21:19.883Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:stylemixthemes:motors_-_car_dealer\\,_classifieds_\\&_listing:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "4D731773-AD0A-4E51-A511-26DB75668844", "versionEndExcluding": "1.4.67", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Motors \u2013 Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in the ajax_actions.php file in all versions up to, and including, 1.4.66. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute several initial set-up actions."}, {"lang": "es", "value": "El complemento Motors \u2013 Car Dealership &amp; Classified Listings Plugin para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a la falta de comprobaci\u00f3n de capacidad en varias funciones del archivo ajax_actions.php en todas las versiones hasta la 1.4.66 incluida. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, ejecuten varias acciones de configuraci\u00f3n inicial."}], "id": "CVE-2025-3437", "lastModified": "2025-08-08T19:48:23.283", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-04-08T10:15:19.413", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3267930%40motors-car-dealership-classified-listings&new=3267930%40motors-car-dealership-classified-listings&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3267930%40motors-car-dealership-classified-listings&new=3267930%40motors-car-dealership-classified-listings&sfp_email=&sfph_mail=#file2"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d0af6050-8602-4ed3-b017-c10aa023849b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T23:19:31.289732+00:00", "value": {"mitigation_remediation": ["Update the Motors \u2013 Car Dealership & Classified Listings Plugin to the latest available version that resolves the missing capability checks (e.g., 1.4.67 or later).", "Verify that after the update, the set\u2011up actions are only executable by users with Administrator privileges and that no other role can invoke them.", "Review any custom code or role\u2011capability modifications on the site to ensure no Subscriber or lower roles have been granted unauthorized permissions to trigger plugin configuration changes."], "summary": {"action": "Patch Plugin", "impact": "Unauthorized Data Modification"}, "threat_synthesis": {"affected_systems": "WordPress sites running stylemix:Motors \u2013 Car Dealership & Classified Listings Plugin versions up to and including 1.4.66 are affected. All installations of these versions are vulnerable to the unauthorized modification of data.", "description_and_impact": "The vulnerability arises from a missing capability check in the ajax_actions.php file of the Motors \u2013 Car Dealership & Classified Listings Plugin. This omission allows any authenticated user with Subscriber-level access or higher to invoke several initial set\u2011up functions that were intended to be restricted to administrators. As a result, attackers can modify plugin configuration data, potentially altering listings, dealership information, or other critical settings without proper authorization.", "risk_and_exploitability": "The CVSS score is 4.3, indicating moderate risk, while the EPSS score of less than 1% suggests a low exploitation probability at the time of analysis. The vulnerability is not present in the CISA KEV catalog. Attackers must be authenticated but only need Subscriber-level privileges, which are commonly granted. An attacker who can log in as a Subscriber can trigger the set\u2011up actions that are currently missing authorization checks. Since the problem exists in all prior releases, the widest range of sites is potentially exploitable until the plugin is updated."}}}}, "created": "2025-07-13T11:14:04.543002+00:00", "updated": "2026-04-20T23:30:16.106849+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}