CVE-2026-1934 is a missing authorization vulnerability (CWE-862) in the Motors – Car Dealership & Classified Listings WordPress plugin by stylemix. The vulnerability arises from the stm_save_user_extra_fields() function, which updates sensitive user meta fields based on POST data without verifying if the user has permission to modify those fields. The function hooks into the 'personal_options_update' action and only checks if the current user can edit their own profile, which is true for any authenticated user editing their own data. This flaw allows authenticated users with Subscriber-level privileges or higher to set their stm_payment_status to 'completed', bypassing PayPal payment verification and gaining unauthorized access to paid membership features.

An authenticated attacker with Subscriber-level access or higher can bypass payment verification by manipulating user meta fields, specifically setting their payment status to 'completed'. This allows unauthorized access to paid Dealer membership features without completing any transaction. The vulnerability does not impact confidentiality or availability but results in integrity loss by enabling unauthorized privilege escalation within the plugin's membership system.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user roles to trusted users only and monitor for suspicious changes to user meta fields related to payment status. Avoid granting Subscriber-level or higher access to untrusted users. Review and harden authorization checks in custom plugin code if possible.