CVE-2024-13737 is a vulnerability classified under CWE-862 (Missing Authorization) affecting all versions up to and including 1.4.57 of the Motors – Car Dealership & Classified Listings plugin for WordPress, developed by stylemix. The root cause is the absence of proper capability checks in two critical functions: motors_create_template and motors_delete_template. These functions handle the creation and deletion of listing templates within the plugin. Because of this missing authorization, any authenticated user with at least Subscriber-level privileges can invoke these functions to create arbitrary listing templates or delete existing posts without proper permissions. The exploitation path requires the Elementor plugin to be installed, as it is a prerequisite for the Motors Starter Theme, which integrates with the vulnerable plugin. The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N), with low attack complexity (AC:L). The impact is limited to integrity, as attackers can modify or delete content but cannot affect confidentiality or availability. No patches are currently linked, and no known exploits have been observed in the wild. The vulnerability was published on March 22, 2025, and assigned a CVSS v3.1 base score of 4.3, indicating medium severity. This vulnerability highlights the importance of enforcing strict authorization checks even for lower-privileged authenticated users in WordPress plugins that manage content.

The primary impact of CVE-2024-13737 is unauthorized modification of website content, specifically the creation and deletion of listing templates and posts within the Motors plugin environment. For organizations running car dealership or classified listing websites using this plugin, attackers with Subscriber-level access can manipulate listings, potentially leading to misinformation, defacement, or disruption of business operations. While the vulnerability does not directly compromise sensitive data confidentiality or cause denial of service, the integrity loss can damage brand reputation and user trust. Attackers could also use this capability to remove legitimate listings or inject fraudulent ones, affecting customer experience and revenue. Since the vulnerability requires authentication but only minimal privileges, it broadens the threat surface to include any registered user, including those with minimal trust. The dependency on the Elementor plugin and Motors Starter Theme means that organizations using these combined components are at risk. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks, especially as the vulnerability becomes publicly known.

To mitigate CVE-2024-13737, organizations should first verify if they are using the Motors – Car Dealership & Classified Listings plugin version 1.4.57 or earlier in conjunction with the Elementor plugin and Motors Starter Theme. Immediate mitigation steps include restricting user roles and permissions to minimize the number of users with Subscriber-level or higher access, especially on publicly accessible sites. Administrators should audit existing user accounts for unnecessary privileges and remove or downgrade them accordingly. Until an official patch is released, consider disabling or limiting the use of the affected functions via custom code or security plugins that enforce capability checks on motors_create_template and motors_delete_template calls. Monitoring and logging plugin activity related to template creation and deletion can help detect exploitation attempts. Additionally, implementing a Web Application Firewall (WAF) with rules targeting unauthorized access patterns to these functions can provide a protective layer. Regularly check for updates from stylemix and apply patches promptly once available. Finally, educate site administrators and users about the risks of granting excessive permissions and the importance of plugin security hygiene.