CVE-2026-13114

Stylemix · Motors – Car Dealership & Classified Listings Plugin

The Motors – Car Dealership & Classified Listings Plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via user-controlled input fields.

Executive summary

A Stored Cross-Site Scripting (XSS) vulnerability in the Motors – Car Dealership & Classified Listings Plugin allows unauthenticated attackers to execute malicious scripts in user browsers.

Vulnerability

This is a Stored XSS vulnerability (CWE-79) occurring through comment content and user biographical info, allowing unauthenticated attackers to inject malicious JavaScript that executes when viewed by administrators or other users.

Business impact

With a CVSS score of 7.2, this XSS flaw poses a significant risk to site integrity and user sessions. Attackers can potentially hijack administrator sessions, redirect users to malicious sites, or perform actions on behalf of authenticated users, leading to widespread site compromise.

Remediation

Immediate Action: Update the Motors – Car Dealership & Classified Listings Plugin to version 1.4.113 immediately.

Proactive Monitoring: Monitor for suspicious or anomalous scripts appearing in user comments or user profiles.

Compensating Controls: Implement a strong Content Security Policy (CSP) and use a WAF to inspect and block malicious scripts submitted via user input fields.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The vulnerability allows for the persistent execution of arbitrary code within the context of the site. It is critical to apply the update to version 1.4.113 to remediate this flaw and prevent potential account takeovers or malicious script injection.