CVE-2024-5545 is a vulnerability classified under CWE-862 (Missing Authorization) found in the 'Motors – Car Dealer, Classifieds & Listing' WordPress plugin developed by stylemix. The issue exists because the function stm_edit_delete_user_car lacks proper capability checks, allowing unauthenticated attackers to invoke it and unpublish arbitrary posts and pages. This means that any attacker without credentials can modify the state of content on affected WordPress sites, specifically by unpublishing listings or pages managed by the plugin. The vulnerability affects all versions up to and including 1.4.8. The CVSS 3.1 base score is 5.3, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). No patches or fixes have been published yet, and no exploits are known to be active in the wild. The vulnerability could be leveraged to disrupt the integrity of website content, potentially harming business operations or user trust. Since the plugin is used primarily in automotive dealer and classifieds websites, the impact is focused on that niche. The lack of authentication requirement and ease of exploitation make this a significant concern for affected sites.

The primary impact of CVE-2024-5545 is on the integrity of website content managed by the vulnerable plugin. Attackers can unpublish posts and pages without authentication, which can disrupt business operations, especially for automotive dealers and classifieds relying on accurate and available listings. This could lead to loss of revenue, customer trust, and brand reputation. Although confidentiality and availability are not directly affected, the unauthorized modification of content can indirectly cause availability issues if critical listings are removed from public view. The vulnerability could also be used as part of a broader attack chain to cause confusion or facilitate phishing by manipulating legitimate content. Organizations worldwide using this plugin are at risk, particularly those with high traffic or commercial dependency on their WordPress sites. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, as public disclosure may prompt attackers to develop exploits.

Since no official patch is currently available, organizations should take immediate steps to mitigate risk. First, restrict access to the WordPress admin and plugin management interfaces using IP whitelisting or VPNs to reduce exposure. Implement web application firewall (WAF) rules to detect and block suspicious requests targeting the stm_edit_delete_user_car function or related plugin endpoints. Monitor website content and logs for unexpected unpublishing or modification activities. Consider temporarily disabling or removing the plugin if it is not critical to operations. Keep the WordPress core and all other plugins updated to reduce the attack surface. Engage with the plugin vendor or community to track patch releases and apply updates promptly once available. Additionally, educate site administrators about the vulnerability and encourage regular backups to enable quick restoration if content is maliciously altered.