Published : June 28, 2026

CVE-2026-54814: Motors – Car Dealership & Classified Listings Plugin <= 1.4.109 Authenticated (Subscriber+) Local File Inclusion PoC, Patch Analysis & Rule

CVE ID CVE-2026-54814
Plugin motors-car-dealership-classified-listings
Severity High (CVSS 7.5)
CWE 98
Vulnerable Version 1.4.109
Patched Version 1.4.110
Disclosed June 16, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-54814:

This vulnerability allows authenticated users with subscriber-level access or higher to perform a Local File Inclusion (LFI) attack against the Motors – Car Dealership & Classified Listings Plugin for WordPress, up to version 1.4.109. The vulnerability resides in the template loading mechanism used throughout the plugin, specifically in the stm_listings_locate_template() and stm_listings_load_template() functions found in includes/templates.php. The flaw enables an attacker to include arbitrary PHP files from the server, leading to code execution, data exfiltration, or access control bypass.

Root Cause: The stm_listings_locate_template() function in includes/templates.php lacked any validation of the $template parameter, allowing path traversal sequences like ‘..’ and absolute paths. The function also did not sanitize the $template value before passing it to file_exists() or realpath(), meaning an attacker could traverse outside the intended templates directory. In the user-facing page rendering flow (templates/user/private/user.php at lines 10-55), the $tpl variable derived from $_GET[‘page’] was sanitized with sanitize_text_field, which does not block path traversal sequences. Within the stm_listings_locate_template function, the template path was prepended with the plugin’s template base directory, but an attacker could break out using ‘../’ or absolute paths. The patched code added a new function stm_listings_is_safe_template_path() (line 52 of diff) that explicitly blocks directory traversal (‘..’), protocol wrappers (php://, file://), null bytes, and schemes, ensuring only relative paths within the templates directory are processed.

Exploitation: An attacker, authenticated as a subscriber or higher, crafts a GET request to the user’s private dashboard page at /wp-content/plugins/motors-car-dealership-classified-listings/templates/user/private/user.php?page=../../../etc/passwd or similar path traversal payload. The vulnerable code path in user.php retrieves the ‘page’ parameter via $_GET[‘page’] and passes it to do_action(‘stm_listings_load_template’, $path . $_GET[‘page’]), which concatenates the attacker-supplied value with the legitimate template directory path. The stm_listings_load_template function calls stm_listings_locate_template without validation, allowing arbitrary file inclusion. File inclusion can use PHP wrappers (php://filter/convert.base64-encode/resource=…) to read sensitive files, or if an attacker can upload a ‘safe’ file (e.g., image with embedded PHP), the inclusion leads to RCE.

Patch Analysis: The patch introduces multiple complementary defenses. First, the stm_listings_is_safe_template_path() function (added in includes/templates.php) validates that the template path contains no directory traversal (..), no null bytes, no protocol schemes (like php://), and no absolute paths. Second, the stm_listings_locate_template function now calls this validator and skips any unsafe template. It also normalizes the path (converting backslashes, stripping leading slashes) and uses realpath() on both the base directory and the full path to ensure the resolved path stays within the expected base directory (validated via strpos check against the base path). Third, the allowed pages list is strictly whitelisted in user.php (line 10-19) to only include specific safe page names: ‘inventory’, ‘favourite’, ‘settings’, ‘become-dealer’, ‘car-edit’, ‘password-recovery’. The $tpl variable is now sanitized with sanitize_key(), which strips all non-alphanumeric characters except underscores and dashes. The in_array() check ensures only whitelisted pages load templates. This eliminates the possibility of an attacker passing arbitrary ‘page’ values.

Impact: Successful exploitation allows an authenticated attacker to include arbitrary files from the WordPress server, enabling remote code execution if PHP files with embedded PHP can be included (e.g., uploaded media files, log files, or other safe file types that contain PHP code). This can lead to complete site compromise, data theft, privilege escalation to admin, and backdoor installation. The CVSS score of 7.5 indicates high severity due to the low barrier of entry (subscriber-level access) and potential for full system takeover.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff 
--- a/motors-car-dealership-classified-listings/includes/actions.php
+++ b/motors-car-dealership-classified-listings/includes/actions.php
@@ -984,28 +984,80 @@

 		$response = array( 'status' => 'Error' );

-		$car_id = intval( filter_var( wp_unslash( $_POST['car_id'] ), FILTER_SANITIZE_NUMBER_INT ) );
-		$price  = floatval( filter_var( wp_unslash( $_POST['price'] ), FILTER_SANITIZE_NUMBER_FLOAT ) );
+		$car_id = isset( $_POST['car_id'] ) ? absint( wp_unslash( $_POST['car_id'] ) ) : 0;

-		if ( ! empty( $car_id ) && ! empty( $price ) ) {
+		if ( ! empty( $car_id ) && stm_is_listing_available_for_online_purchase( $car_id ) ) {
+			$price = stm_get_listing_online_purchase_price( $car_id );

-			update_post_meta( $car_id, '_price', $price );
-			update_post_meta( $car_id, 'is_sell_online_status', 'in_cart' );
+			if ( $price > 0 ) {
+				update_post_meta( $car_id, '_price', wc_format_decimal( $price ) );
+				update_post_meta( $car_id, 'is_sell_online_status', 'in_cart' );

-			$checkout_url = wc_get_checkout_url() . '?add-to-cart=' . $car_id;
+				$checkout_url = add_query_arg( 'add-to-cart', $car_id, wc_get_checkout_url() );

-			$response = array(
-				'status'       => 'success',
-				'redirect_url' => $checkout_url,
-			);
+				$response = array(
+					'status'       => 'success',
+					'redirect_url' => $checkout_url,
+				);

-			wp_send_json( $response );
+				wp_send_json( $response );
+			}
 		}

 		wp_send_json( $response );
 	}
 }

+if ( ! function_exists( 'stm_get_online_purchase_listing_post_types' ) ) {
+	function stm_get_online_purchase_listing_post_types() {
+		$post_types = array( apply_filters( 'stm_listings_post_type', 'listings' ) );
+
+		if ( class_exists( 'STMMultiListing' ) ) {
+			$slugs = STMMultiListing::stm_get_listing_type_slugs();
+
+			if ( ! empty( $slugs ) ) {
+				$post_types = array_merge( $post_types, $slugs );
+			}
+		}
+
+		return array_unique( array_filter( $post_types ) );
+	}
+}
+
+if ( ! function_exists( 'stm_is_listing_available_for_online_purchase' ) ) {
+	function stm_is_listing_available_for_online_purchase( $listing_id ) {
+		if ( ! in_array( get_post_type( $listing_id ), stm_get_online_purchase_listing_post_types(), true ) ) {
+			return false;
+		}
+
+		if ( 'publish' !== get_post_status( $listing_id ) ) {
+			return false;
+		}
+
+		if ( empty( get_post_meta( $listing_id, 'car_mark_woo_online', true ) ) ) {
+			return false;
+		}
+
+		if ( ! empty( get_post_meta( $listing_id, 'car_mark_as_sold', true ) ) ) {
+			return false;
+		}
+
+		return true;
+	}
+}
+
+if ( ! function_exists( 'stm_get_listing_online_purchase_price' ) ) {
+	function stm_get_listing_online_purchase_price( $listing_id ) {
+		$price = get_post_meta( $listing_id, 'sale_price', true );
+
+		if ( empty( $price ) ) {
+			$price = get_post_meta( $listing_id, 'price', true );
+		}
+
+		return (float) wc_format_decimal( $price );
+	}
+}
+
 //Trade in form ajax
 if ( ! function_exists( 'handle_stm_trade_in_form' ) ) {
 	function handle_stm_trade_in_form() {
--- a/motors-car-dealership-classified-listings/includes/class/User/Model/UserModel.php
+++ b/motors-car-dealership-classified-listings/includes/class/User/Model/UserModel.php
@@ -191,9 +191,13 @@
 	}

 	public function fields_by_location( $lat, $lng ) {
-		if ( empty( $lat ) ) {
+		if ( false === filter_var( $lat, FILTER_VALIDATE_FLOAT ) || false === filter_var( $lng, FILTER_VALIDATE_FLOAT ) ) {
 			return '';
 		}
+
+		$lat = (float) $lat;
+		$lng = (float) $lng;
+
 		$formula = "6378.137 * ACOS(COS(RADIANS(stm_lat_prefix.meta_value))
 			* COS(RADIANS($lat))
 			* COS(RADIANS(stm_lng_prefix.meta_value) - RADIANS($lng)) + SIN(RADIANS(stm_lat_prefix.meta_value))
@@ -203,7 +207,7 @@
 	}

 	public function join_by_location( $lat ) {
-		if ( empty( $lat ) ) {
+		if ( false === filter_var( $lat, FILTER_VALIDATE_FLOAT ) ) {
 			return '';
 		}
 		$join  = " JOIN $this->user_meta_table AS stm_lat_prefix ON (u.ID = stm_lat_prefix.user_id AND stm_lat_prefix.meta_key = 'stm_dealer_location_lat')";
@@ -213,15 +217,17 @@
 	}

 	public function having_by_location( $lat, $radius ) {
-		if ( empty( $lat ) ) {
+		if ( false === filter_var( $lat, FILTER_VALIDATE_FLOAT ) || false === filter_var( $radius, FILTER_VALIDATE_FLOAT ) ) {
 			return '';
 		}

+		$radius = (float) $radius;
+
 		return "HAVING distance <= $radius";
 	}

 	public function order_by_location( $lat ) {
-		if ( empty( $lat ) ) {
+		if ( false === filter_var( $lat, FILTER_VALIDATE_FLOAT ) ) {
 			return '';
 		}

--- a/motors-car-dealership-classified-listings/includes/class/User/UserController.php
+++ b/motors-car-dealership-classified-listings/includes/class/User/UserController.php
@@ -64,12 +64,12 @@
 				}
 			}

-			$lat    = apply_filters( 'stm_listings_input', null, 'stm_lat' );
-			$lng    = apply_filters( 'stm_listings_input', null, 'stm_lng' );
-			$radius = apply_filters( 'motors_vl_get_nuxy_mod', '', 'distance_search' );
-			$radius = ( ! empty( $radius ) ) ? $radius : 5000;
+			$lat    = filter_var( apply_filters( 'stm_listings_input', null, 'stm_lat' ), FILTER_VALIDATE_FLOAT );
+			$lng    = filter_var( apply_filters( 'stm_listings_input', null, 'stm_lng' ), FILTER_VALIDATE_FLOAT );
+			$radius = filter_var( apply_filters( 'motors_vl_get_nuxy_mod', '', 'distance_search' ), FILTER_VALIDATE_FLOAT );
+			$radius = ( false !== $radius && $radius > 0 ) ? $radius : 5000;

-			if ( empty( $left_join ) && ! empty( floatval( $lat ) ) && ! empty( floatval( $lng ) ) ) {
+			if ( empty( $left_join ) && false !== $lat && false !== $lng ) {
 				$include_users = $model->get_filtered_users_by_location( $model->fields_by_location( $lat, $lng ), $model->join_by_location( $lat ), $model->having_by_location( $lat, $radius ), $model->order_by_location( $lat ) );
 			} elseif ( ! empty( $left_join ) && ! empty( $where ) ) {
 				$include_users = $model->get_filtered_users( $left_join, $where, $model->fields_by_location( $lat, $lng ), $model->join_by_location( $lat ), $model->having_by_location( $lat, $radius ), $model->order_by_location( $lat ) );
--- a/motors-car-dealership-classified-listings/includes/helpers.php
+++ b/motors-car-dealership-classified-listings/includes/helpers.php
@@ -1337,7 +1337,7 @@
 		$page = 'inventory';

 		if ( isset( $_GET['page'] ) ) {
-			$page = sanitize_text_field( $_GET['page'] );
+			$page = sanitize_key( wp_unslash( $_GET['page'] ) );
 		}

 		if ( ! empty( $_GET['my_favourites'] ) ) {
--- a/motors-car-dealership-classified-listings/includes/templates.php
+++ b/motors-car-dealership-classified-listings/includes/templates.php
@@ -15,6 +15,12 @@
 	$located = false;

 	foreach ( (array) $templates as $template ) {
+		if ( ! stm_listings_is_safe_template_path( $template ) ) {
+			continue;
+		}
+
+		$template = ltrim( str_replace( '\', '/', $template ), '/' );
+
 		if ( substr( $template, - 4 ) !== '.php' ) {
 			$template .= '.php';
 		}
@@ -26,12 +32,18 @@
 		}

 		if ( ! ( $located ) ) {
-			if ( file_exists( realpath( apply_filters( 'stm_listings_template_file', STM_LISTINGS_PATH, $template ) . '/templates/' . $template ) ) ) {
-				$located = realpath( apply_filters( 'stm_listings_template_file', STM_LISTINGS_PATH, $template ) . '/templates/' . $template );
+			$template_base = realpath( apply_filters( 'stm_listings_template_file', STM_LISTINGS_PATH, $template ) . '/templates' );
+
+			if ( $template_base ) {
+				$template_path = realpath( $template_base . '/' . $template );
+
+				if ( $template_path && 0 === strpos( $template_path, $template_base . DIRECTORY_SEPARATOR ) && file_exists( $template_path ) ) {
+					$located = $template_path;
+				}
 			}
 		}

-		if ( file_exists( $located ) ) {
+		if ( $located && file_exists( $located ) ) {
 			break;
 		}
 	}
@@ -40,6 +52,33 @@
 }

 /**
+ * Check that a requested template path cannot escape the listings template scope.
+ *
+ * @param mixed $template Template path.
+ *
+ * @return bool
+ */
+function stm_listings_is_safe_template_path( $template ) {
+	if ( ! is_string( $template ) || '' === $template || str_contains( $template, "" ) ) {
+		return false;
+	}
+
+	$template = str_replace( '\', '/', $template );
+
+	if ( preg_match( '#^[a-z][a-z0-9+.-]*://#i', $template ) || preg_match( '#^[a-z]:/#i', $template ) || 0 === strpos( $template, '//' ) ) {
+		return false;
+	}
+
+	foreach ( explode( '/', trim( $template, '/' ) ) as $path_part ) {
+		if ( '..' === $path_part ) {
+			return false;
+		}
+	}
+
+	return true;
+}
+
+/**
  * Load template
  *
  * @param $__template
@@ -47,7 +86,11 @@
  */
 function stm_listings_load_template( $__template, $__vars = array() ) {
 	extract( $__vars );
-	include stm_listings_locate_template( $__template );
+	$__located = stm_listings_locate_template( $__template );
+
+	if ( $__located ) {
+		include $__located;
+	}
 }

 add_action( 'stm_listings_load_template', 'stm_listings_load_template', 10, 2 );
--- a/motors-car-dealership-classified-listings/includes/vehicle_functions.php
+++ b/motors-car-dealership-classified-listings/includes/vehicle_functions.php
@@ -1611,12 +1611,10 @@
 		$user_id         = get_current_user_id();
 		$attachments_ids = ( isset( $_POST['attachments'] ) && ! empty( $attachments_ids ) ) ? array_map( 'sanitize_text_field', array_values( explode( ',', $_POST['attachments'] ) ) ) : array();

-		if ( ! empty( $post_id ) ) {
-			if ( ! empty( get_post_meta( $post_id, 'stm_car_user', true ) ) && intval( get_post_meta( $post_id, 'stm_car_user', true ) ) !== intval( $user_id ) ) {
-				/*User tries to add info to another car*/
-				wp_send_json( array( 'message' => esc_html__( 'You are trying to add car to another car user, or your session has expired, please sign in first', 'stm_vehicles_listing' ) ) );
-				exit;
-			}
+		if ( ! empty( $post_id ) && ! stm_current_user_can_manage_listing_media( $post_id ) ) {
+			/*User tries to add info to another car*/
+			wp_send_json( array( 'message' => esc_html__( 'You are trying to add car to another car user, or your session has expired, please sign in first', 'stm_vehicles_listing' ) ) );
+			exit;
 		}

 		$error    = true;
@@ -1756,7 +1754,6 @@
 	}

 	add_action( 'wp_ajax_stm_ajax_add_a_car_images', 'stm_ajax_add_a_car_images' );
-	add_action( 'wp_ajax_nopriv_stm_ajax_add_a_car_images', 'stm_ajax_add_a_car_images' );
 }

 if ( ! function_exists( 'stm_listing_images_cron_event_start' ) ) {
@@ -1807,18 +1804,80 @@

 add_action( 'stm_add_a_car_images_schedule', 'stm_add_a_car_images_schedule' );

+if ( ! function_exists( 'stm_add_a_car_listing_post_types' ) ) {
+	function stm_add_a_car_listing_post_types() {
+		$post_types = array( apply_filters( 'stm_listings_post_type', 'listings' ) );
+
+		if ( class_exists( 'STMMultiListing' ) ) {
+			$slugs = STMMultiListing::stm_get_listing_type_slugs();
+
+			if ( ! empty( $slugs ) ) {
+				$post_types = array_merge( $post_types, $slugs );
+			}
+		}
+
+		return array_unique( array_filter( $post_types ) );
+	}
+}
+
+if ( ! function_exists( 'stm_current_user_can_manage_listing_media' ) ) {
+	function stm_current_user_can_manage_listing_media( $post_id ) {
+		if ( ! is_user_logged_in() || empty( $post_id ) ) {
+			return false;
+		}
+
+		if ( ! in_array( get_post_type( $post_id ), stm_add_a_car_listing_post_types(), true ) ) {
+			return false;
+		}
+
+		if ( current_user_can( 'edit_post', $post_id ) ) {
+			return true;
+		}
+
+		$listing_user_id = absint( get_post_meta( $post_id, 'stm_car_user', true ) );
+
+		return $listing_user_id && absint( get_current_user_id() ) === $listing_user_id;
+	}
+}
+
+if ( ! function_exists( 'stm_filter_listing_media_attachments' ) ) {
+	function stm_filter_listing_media_attachments( $attachments_ids, $post_id ) {
+		$filtered = array();
+
+		foreach ( $attachments_ids as $position => $attachment_id ) {
+			$attachment_id = absint( $attachment_id );
+
+			if ( ! $attachment_id || 'attachment' !== get_post_type( $attachment_id ) || ! wp_attachment_is_image( $attachment_id ) ) {
+				continue;
+			}
+
+			$attachment_parent = absint( wp_get_post_parent_id( $attachment_id ) );
+
+			if ( absint( $post_id ) !== $attachment_parent && ! current_user_can( 'edit_post', $attachment_id ) ) {
+				continue;
+			}
+
+			$filtered[ sanitize_key( $position ) ] = $attachment_id;
+		}
+
+		return $filtered;
+	}
+}
+
 if ( ! function_exists( 'stm_ajax_add_a_car_media' ) ) {
 	/**
 	 * Car media
 	 */
 	function stm_ajax_add_a_car_media() {
+		check_ajax_referer( 'stm_security_nonce', 'security' );
+
 		if ( apply_filters( 'stm_site_demo_mode', false ) ) {
 			wp_send_json( array( 'message' => esc_html__( 'Site is on demo mode', 'stm_vehicles_listing' ) ) );
 			exit;
 		}

-		$redirect_type = ( isset( $_POST['redirect_type'] ) ) ? $_POST['redirect_type'] : '';
-		$post_id       = intval( $_POST['post_id'] );
+		$redirect_type = ( isset( $_POST['redirect_type'] ) ) ? sanitize_key( wp_unslash( $_POST['redirect_type'] ) ) : '';
+		$post_id       = isset( $_POST['post_id'] ) ? absint( wp_unslash( $_POST['post_id'] ) ) : 0;
 		if ( ! $post_id ) {
 			/*No id passed from first ajax Call?*/
 			wp_send_json( array( 'message' => esc_html__( 'Some error occurred, try again later', 'stm_vehicles_listing' ) ) );
@@ -1828,21 +1887,21 @@
 		$user_id  = get_current_user_id();
 		$updating = $post_id && get_post_meta( $post_id, 'is_listing_updating', true );

-		if ( ! empty( $post_id ) ) {
-			if ( ! empty( get_post_meta( $post_id, 'stm_car_user', true ) ) && intval( get_post_meta( $post_id, 'stm_car_user', true ) ) !== intval( $user_id ) ) {
-				/*User tries to add info to another car*/
-				wp_send_json( array( 'message' => esc_html__( 'You are trying to add car to another car user, or your session has expired, please sign in first', 'stm_vehicles_listing' ) ) );
-				exit;
-			}
+		if ( ! stm_current_user_can_manage_listing_media( $post_id ) ) {
+			/*User tries to add info to another car*/
+			wp_send_json( array( 'message' => esc_html__( 'You are trying to add car to another car user, or your session has expired, please sign in first', 'stm_vehicles_listing' ) ) );
+			exit;
 		}

 		$attachments_ids = array();
 		foreach ( $_POST as $get_media_keys => $get_media_values ) {
 			if ( strpos( $get_media_keys, 'media_position_' ) !== false ) {
-				$attachments_ids[ str_replace( 'media_position_', '', $get_media_keys ) ] = intval( $get_media_values );
+				$attachments_ids[ str_replace( 'media_position_', '', $get_media_keys ) ] = absint( $get_media_values );
 			}
 		}

+		$attachments_ids = stm_filter_listing_media_attachments( $attachments_ids, $post_id );
+
 		$response = array(
 			'message' => '',
 			'post'    => $post_id,
@@ -1862,7 +1921,7 @@
 		);
 		$_thumbnail_id       = get_post_thumbnail_id( $post_id );
 		if ( $_thumbnail_id ) {
-			$current_attachments = array_unique( (array) array_unshift( $current_attachments, $_thumbnail_id ), SORT_NUMERIC );
+			$current_attachments = array_unique( array_merge( array( $_thumbnail_id ), $current_attachments ), SORT_NUMERIC );
 		}

 		if ( ! empty( $current_attachments ) ) {
@@ -2002,7 +2061,6 @@
 	}

 	add_action( 'wp_ajax_stm_ajax_add_a_car_media', 'stm_ajax_add_a_car_media' );
-	add_action( 'wp_ajax_nopriv_stm_ajax_add_a_car_media', 'stm_ajax_add_a_car_media' );
 }

 if ( ! function_exists( 'stm_media_random_affix' ) ) {
--- a/motors-car-dealership-classified-listings/stm_vehicles_listing.php
+++ b/motors-car-dealership-classified-listings/stm_vehicles_listing.php
@@ -8,7 +8,7 @@
  * License: GNU General Public License v2 or later
  * License URI: http://www.gnu.org/licenses/gpl-2.0.html
  * Text Domain: stm_vehicles_listing
- * Version: 1.4.109
+ * Version: 1.4.110
  */

 if ( ! defined( 'ABSPATH' ) ) {
@@ -50,7 +50,7 @@
 	define( 'STM_LISTINGS_URL', plugins_url( '', STM_LISTINGS_FILE ) );
 	define( 'STM_LISTINGS', 'stm_vehicles_listing' );
 	define( 'STM_THEME_V_NEED', '5.6.33' );
-	define( 'STM_LISTINGS_V', '1.4.109' );
+	define( 'STM_LISTINGS_V', '1.4.110' );
 	define( 'STM_LISTINGS_DB_VERSION', '1.0.0' );
 	define( 'STM_LISTINGS_IMAGES', STM_LISTINGS_URL . '/includes/admin/butterbean/images/' );
 }
--- a/motors-car-dealership-classified-listings/templates/user/private/user.php
+++ b/motors-car-dealership-classified-listings/templates/user/private/user.php
@@ -10,6 +10,19 @@

 $tpl = apply_filters( 'stm_account_current_page', '' );

+$allowed_private_pages = apply_filters(
+	'stm_user_private_allowed_pages',
+	array(
+		'inventory',
+		'favourite',
+		'settings',
+		'become-dealer',
+		'car-edit',
+		'password-recovery',
+	)
+);
+
+$tpl = sanitize_key( $tpl );

 ?>

@@ -33,18 +46,19 @@
 			<div class="col-md-9 col-sm-12">
 				<div class="stm-user-private-main">
 					<?php
-					if ( isset( $_GET['page'] ) ) {
-						if ( apply_filters( 'get_saved_searches_page', sanitize_text_field( $_GET['page'] ) ) === 'saved-searches' ) {
+					if ( isset( $_GET['page'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+						$page = sanitize_key( wp_unslash( $_GET['page'] ) );
+						if ( apply_filters( 'get_saved_searches_page', $page ) === 'saved-searches' ) {
 							do_action( 'load_saved_searches_page' );
-						} else {
-							do_action( 'stm_listings_load_template', $path . $_GET['page'], array( 'user_id' => $user_id ) );
+						} elseif ( in_array( $page, $allowed_private_pages, true ) ) {
+							do_action( 'stm_listings_load_template', $path . $page, array( 'user_id' => $user_id ) );
 						}
 					} else {
 						if ( 'become-dealer' === $tpl && apply_filters( 'mvl_is_addon_enabled', false, 'forms_editor' ) ) {
 							// Load FormsEditor template directly, same as legacy template
 							// Template will get variables from its own scope (Config, etc.)
 							do_action( 'stm_listings_load_template', 'addons/forms-editor/page/partials/forms/become-dealer', array() );
-						} else {
+						} elseif ( in_array( $tpl, $allowed_private_pages, true ) ) {
 							do_action( 'stm_listings_load_template', $path . $tpl, array( 'user_id' => $user_id ) );
 						}
 					}
--- a/motors-car-dealership-classified-listings/vendor/composer/installed.php
+++ b/motors-car-dealership-classified-listings/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => 'motors_vehicles_listing/plugin',
         'pretty_version' => 'dev-release',
         'version' => 'dev-release',
-        'reference' => 'd724753e86fcde174972faa023b00bc1c5513e6f',
+        'reference' => 'd8d629de91665cfcab1687b11cf9bcb664dc9ffb',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -13,7 +13,7 @@
         'motors_vehicles_listing/plugin' => array(
             'pretty_version' => 'dev-release',
             'version' => 'dev-release',
-            'reference' => 'd724753e86fcde174972faa023b00bc1c5513e6f',
+            'reference' => 'd8d629de91665cfcab1687b11cf9bcb664dc9ffb',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity 
# Atomic Edge WAF Rule - CVE-2026-54814
# Blocks path traversal in the 'page' parameter targeting the Motors private user page
# Coverage: Authenticated LFI via template loading
SecRule REQUEST_URI "@contains /wp-content/plugins/motors-car-dealership-classified-listings/templates/user/private/user.php" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-54814 LFI via page parameter',severity:'CRITICAL',tag:'CVE-2026-54814',tag:'wordpress',tag:'motors-car-dealership'"
  SecRule ARGS_GET:page "@rx ../|php://|file://|" 
    "chain"
    SecRule ARGS_GET:page "@rx [a-z0-9_-]+$" 
      "t:none"

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School