CVE-2019-17228
published 2020-02-24CVE-2019-17228: includes/options.php in the motors-car-dealership-classified-listings (aka Motors - Car Dealer & Classified Ads) plugin through 1.4.0 for WordPress allows…
PriorityP278medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.15%
63.0th percentile
includes/options.php in the motors-car-dealership-classified-listings (aka Motors - Car Dealer & Classified Ads) plugin through 1.4.0 for WordPress allows unauthenticated options changes.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| stylemixthemes | motors_car_dealer_classifieds_listing | <= 1.4.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW ... Content-Disposition: form-data; name="import_settings"; filename="<random>.json"↗
- →Detect unauthenticated POST requests to WordPress root with multipart form-data containing the 'import_settings' field name — this triggers the unauthenticated options import in the Motors plugin. ↗
- →Detect unauthenticated GET requests with the query parameter 'export_settings=1' to the WordPress root — this triggers unauthenticated settings export and returns a JSON file attachment (filename=file.json). ↗
- →Successful exploitation of the export endpoint is confirmed by a response header containing 'filename=file.json' with HTTP 200 status. ↗
- →Fingerprint vulnerable WordPress installations by searching for the plugin path string in page body: wp-content/plugins/motors-car-dealership-classified-listings/ ↗
- ·The vulnerability affects only plugin versions up to and including 1.4.0; version 1.4.1 and later are patched. ↗
- ·The exploit requires two requests: first a multipart POST to import arbitrary settings, then a GET with export_settings=1 to confirm the injected values are reflected — both must succeed for full confirmation. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-32c8-2q94-9pqj: includes/options
ghsa_unreviewed·2022-05-24
CVE-2019-17228 [MEDIUM] GHSA-32c8-2q94-9pqj: includes/options
includes/options.php in the motors-car-dealership-classified-listings (aka Motors - Car Dealer & Classified Ads) plugin through 1.4.0 for WordPress allows unauthenticated options changes.
VulnCheck
stylemixthemes Motors - Car Dealer & Classified Ads Plugin (WordPress) Insufficient Verification of Data Authenticity
vulncheck·2019·CVSS 6.5
CVE-2019-17228 [MEDIUM] stylemixthemes Motors - Car Dealer & Classified Ads Plugin (WordPress) Insufficient Verification of Data Authenticity
stylemixthemes Motors - Car Dealer & Classified Ads Plugin (WordPress) Insufficient Verification of Data Authenticity
includes/options.php in the motors-car-dealership-classified-listings (aka Motors - Car Dealer & Classified Ads) plugin through 1.4.0 for WordPress allows unauthenticated options changes.
Affected: stylemixthemes Motors - Car Dealer & Classified Ads Plugin (WordPress)
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/motors-car-dealership-classified-listings/motors-car-dealer-classified-ads-140-unauthenticated-settings-importexport
No detection rules found.
Nuclei
Motors Car Dealer & Classified Ads <= 1.4.0 - Unauthenticated settings import/export
nuclei·CVSS 6.5
CVE-2019-17228 [MEDIUM] Motors Car Dealer & Classified Ads <= 1.4.0 - Unauthenticated settings import/export
Motors Car Dealer & Classified Ads <= 1.4.0 - Unauthenticated settings import/export
includes/options.php in the motors-car-dealership-classified-listings (aka Motors - Car Dealer & Classified Ads) plugin through 1.4.0 for WordPress allows unauthenticated options changes.
Template:
id: CVE-2019-17228
info:
name: Motors Car Dealer & Classified Ads <= 1.4.0 - Unauthenticated settings import/export
author: daffainfo
severity: medium
description: |
includes/options.php in the motors-car-dealership-classified-listings (aka Motors - Car Dealer & Classified Ads) plugin through 1.4.0 for WordPress allows unauthenticated options changes.
impact: |
Unauthenticated attackers can modify WordPress plugin settings through import/export functionality, potentially altering site configuration and behav
No writeups or analysis indexed.
https://blog.nintechnet.com/multiple-vulnerabilities-in-wordpress-motors-car-dealer-classified-ads-plugin/https://wordpress.org/plugins/motors-car-dealership-classified-listings/#developershttps://wpvulndb.com/vulnerabilities/9884https://blog.nintechnet.com/multiple-vulnerabilities-in-wordpress-motors-car-dealer-classified-ads-plugin/https://wordpress.org/plugins/motors-car-dealership-classified-listings/#developershttps://wpvulndb.com/vulnerabilities/9884
2020-02-24
Published
Exploited in the wild