The Motors WP Plugin <1.4.110 Unauth CSRF & Auth Gap
CVE-2026-7859 Published on June 22, 2026

Motors Car Dealership & Classified Listings < 1.4.110 - Unauthenticated Post-Meta Write via stm_ajax_add_a_car_media
The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices.

NVD

The Motors WP Plugin <1.4.110 Unauth CSRF & Auth GapCVE-2026-7859 Published on June 22, 2026

The Motors WP Plugin <1.4.110 Unauth CSRF & Auth Gap
CVE-2026-7859 Published on June 22, 2026