CVE-2026-13114
Stylemix · Motors – Car Dealership & Classified Listings Plugin
The Motors – Car Dealership & Classified Listings Plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via user-controlled input fields.
Executive summary
A Stored Cross-Site Scripting (XSS) vulnerability in the Motors – Car Dealership & Classified Listings Plugin allows unauthenticated attackers to execute malicious scripts in user browsers.
Vulnerability
This is a Stored XSS vulnerability (CWE-79) occurring through comment content and user biographical info, allowing unauthenticated attackers to inject malicious JavaScript that executes when viewed by administrators or other users.
Business impact
With a CVSS score of 7.2, this XSS flaw poses a significant risk to site integrity and user sessions. Attackers can potentially hijack administrator sessions, redirect users to malicious sites, or perform actions on behalf of authenticated users, leading to widespread site compromise.
Remediation
Immediate Action: Update the Motors – Car Dealership & Classified Listings Plugin to version 1.4.113 immediately.
Proactive Monitoring: Monitor for suspicious or anomalous scripts appearing in user comments or user profiles.
Compensating Controls: Implement a strong Content Security Policy (CSP) and use a WAF to inspect and block malicious scripts submitted via user input fields.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The vulnerability allows for the persistent execution of arbitrary code within the context of the site. It is critical to apply the update to version 1.4.113 to remediate this flaw and prevent potential account takeovers or malicious script injection.