CVE-2024-13737: CWE-862 Missing Authorization in stylemix Motors – Car Dealership & Classified Listings Plugin
The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the motors_create_template and motors_delete_template functions in all versions up to, and including, 1.4.57. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts or create listing templates. This issue requires Elementor plugin to be installed, which is a required plugin for Motors Starter Theme.
AI Analysis
Technical Summary
The Motors – Car Dealership & Classified Listings plugin for WordPress suffers from a missing authorization vulnerability (CWE-862) in the motors_create_template and motors_delete_template functions. This flaw allows authenticated users with low privileges (Subscriber-level and above) to create or delete listing templates arbitrarily. The vulnerability requires the Elementor plugin to be installed, as it is a dependency for the Motors Starter Theme. The CVSS 3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires low privileges, no user interaction, and impacts integrity but not confidentiality or availability. No patch or remediation has been confirmed.
Potential Impact
An authenticated user with Subscriber-level access or higher can exploit this vulnerability to create or delete listing templates arbitrarily within the affected plugin. This could lead to unauthorized modification of data, potentially disrupting the listing content or structure on the WordPress site. There is no evidence of confidentiality or availability impact. No known exploits are reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict Subscriber-level access where possible and monitor for suspicious activity related to template creation or deletion. Since no official fix is currently documented, applying principle of least privilege and limiting plugin dependencies may reduce risk.
CVE-2024-13737: CWE-862 Missing Authorization in stylemix Motors – Car Dealership & Classified Listings Plugin
Description
The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the motors_create_template and motors_delete_template functions in all versions up to, and including, 1.4.57. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts or create listing templates. This issue requires Elementor plugin to be installed, which is a required plugin for Motors Starter Theme.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Motors – Car Dealership & Classified Listings plugin for WordPress suffers from a missing authorization vulnerability (CWE-862) in the motors_create_template and motors_delete_template functions. This flaw allows authenticated users with low privileges (Subscriber-level and above) to create or delete listing templates arbitrarily. The vulnerability requires the Elementor plugin to be installed, as it is a dependency for the Motors Starter Theme. The CVSS 3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires low privileges, no user interaction, and impacts integrity but not confidentiality or availability. No patch or remediation has been confirmed.
Potential Impact
An authenticated user with Subscriber-level access or higher can exploit this vulnerability to create or delete listing templates arbitrarily within the affected plugin. This could lead to unauthorized modification of data, potentially disrupting the listing content or structure on the WordPress site. There is no evidence of confidentiality or availability impact. No known exploits are reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict Subscriber-level access where possible and monitor for suspicious activity related to template creation or deletion. Since no official fix is currently documented, applying principle of least privilege and limiting plugin dependencies may reduce risk.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-01-26T17:34:42.653Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e6cb7ef31ef0b5a055d
Added to database: 2/25/2026, 9:49:32 PM
Last enriched: 4/9/2026, 7:35:38 PM
Last updated: 4/12/2026, 11:42:43 AM
Views: 24
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.