Description
The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices.
Severity (CVSS)
| Base score | 5.3 |
|---|---|
| Severity | Medium |
| Version | CVSS 3.1 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
| Provided by | CISA-ADP |
Weaknesses
- — CWE-862 Missing Authorization
- — CWE-352 Cross-Site Request Forgery (CSRF)
- CWE-862 — CWE-862 Missing Authorization
Affected products
| Vendor | Product | Versions |
|---|---|---|
| Unknown | Motors | 0 to <1.4.110 |
References
- https://wpscan.com/vulnerability/3c11e490-92d8-46e1-a0ae-7c4c703ac411/ (exploit vdb-entry technical-description)
Generated from the official CVE List on 22 Jun 2026 14:43 UTC.