CVE-2026-7859 | The Motors WordPress plugin before 1.4.110 does not have pr… | CVSS 5.3 MEDIUM

Description

The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices.

Metadata

CVE ID: CVE-2026-7859
State: PUBLISHED
Assigner: WPScan
Reserved: 2026-05-05 11:51 UTC
Published: 2026-06-22 06:00 UTC
Last updated: 2026-06-22 12:50 UTC
Primary CWE: CWE-862
CWE-862 Missing Authorization
Vendor / Product: Unknown / Motors
Sources: cve.org · NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Unknown	Motors	—	0 < 1.4.110

Weakness (CWE)

CWE	Source	Description
—	cna	CWE-862 Missing Authorization
—	cna	CWE-352 Cross-Site Request Forgery (CSRF)
CWE-862	adp	CWE-862 Missing Authorization

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.3	MEDIUM	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (1)

https://wpscan.com/vulnerability/3c11e490-92d8-46e1-a0ae-7c4c703ac411/