A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Six years. Gartner® Magic Quadrant™ Leader.Find Out Why
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-1934

CVE-2026-1934: Motors WordPress Plugin Auth Bypass Flaw

CVE-2026-1934 is an authentication bypass vulnerability in the Motors Car Dealership plugin for WordPress that allows attackers to bypass PayPal payment verification. This article covers technical details, affected versions, and mitigation.

Published: May 17, 2026

CVE-2026-1934 Overview

CVE-2026-1934 is a missing authorization vulnerability [CWE-862] in the Motors – Car Dealership & Classified Listings plugin for WordPress. The flaw affects all plugin versions up to and including 1.4.103. The stm_save_user_extra_fields() function updates sensitive user meta fields directly from POST data without verifying that the current user is permitted to modify those specific fields. Authenticated attackers with Subscriber-level access or above can set their own stm_payment_status user meta to completed, bypassing PayPal payment verification and unlocking paid Dealer membership features without any transaction.

Critical Impact

Authenticated Subscriber-level users can bypass PayPal payment verification and gain Dealer membership privileges without paying, resulting in revenue loss and unauthorized access to paid features.

Affected Products

  • Motors – Car Dealership & Classified Listings plugin for WordPress
  • All versions up to and including 1.4.103
  • Fixed in version 1.4.104

Discovery Timeline

  • 2026-05-12 - CVE-2026-1934 published to NVD
  • 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-1934

Vulnerability Analysis

The vulnerability resides in the stm_save_user_extra_fields() function within includes/user-extra.php of the Motors plugin. The function hooks into the WordPress personal_options_update action, which fires when a user submits their own profile edit form. Its only authorization check is current_user_can('edit_user', $user_id), a capability check that passes for any authenticated user editing their own profile.

After passing that check, the function writes user meta fields directly from $_POST data without distinguishing between fields the user legitimately controls (such as display preferences) and privileged fields that govern billing and membership state. One of those privileged fields is stm_payment_status, which the plugin consults to determine whether a user has completed a PayPal payment for Dealer membership.

By submitting a crafted profile update request that includes stm_payment_status=completed, a Subscriber can grant themselves Dealer-tier privileges. This is a business logic flaw rooted in broken access control rather than a memory safety or injection issue.

Root Cause

The root cause is missing field-level authorization [CWE-862]. The plugin treats the edit_user capability as sufficient to write any user meta key, instead of maintaining an allowlist of user-editable fields and rejecting privileged keys such as stm_payment_status. Sensitive billing state is stored as ordinary user meta with no server-side trust boundary.

Attack Vector

An attacker registers a Subscriber account on a vulnerable site or uses an existing low-privilege account. The attacker submits the profile edit form with an additional POST parameter stm_payment_status set to completed. The plugin writes the value to user meta. On the next request, the plugin's membership logic reads the forged value and grants access to paid Dealer features without any PayPal transaction occurring.

The vulnerability is network-accessible, requires low privileges, and needs no user interaction. No exploitation code is required beyond a single authenticated HTTP POST. Refer to the WordPress Plugin Code Reference and the Wordfence Vulnerability Report for the vulnerable code path.

Detection Methods for CVE-2026-1934

Indicators of Compromise

  • User accounts whose stm_payment_status user meta equals completed with no corresponding PayPal transaction record or order entry.
  • Subscriber-level accounts that transitioned to Dealer-tier access without an associated payment event in plugin or PayPal logs.
  • HTTP POST requests to profile.php or the WordPress user profile update endpoint containing the parameter stm_payment_status.

Detection Strategies

  • Audit the wp_usermeta table for rows where meta_key = 'stm_payment_status' and meta_value = 'completed', then reconcile against authoritative PayPal payment records.
  • Inspect web server access logs for POST requests to user profile endpoints containing unexpected plugin-specific meta keys in the request body.
  • Correlate user role or membership-tier changes with the absence of PayPal IPN or transaction callbacks.

Monitoring Recommendations

  • Enable WordPress audit logging for user meta updates and alert on writes to stm_payment_status originating from non-administrative sessions.
  • Monitor the Motors plugin version reported by WordPress sites and flag any instance running 1.4.103 or earlier.
  • Track new Subscriber registrations followed shortly by Dealer feature usage without intervening payment events.

How to Mitigate CVE-2026-1934

Immediate Actions Required

  • Update the Motors – Car Dealership & Classified Listings plugin to version 1.4.104 or later on all affected WordPress sites.
  • Audit existing user accounts for forged stm_payment_status values and revoke Dealer privileges from any account lacking a matching PayPal transaction.
  • Review web server logs since the plugin was installed for POST requests containing stm_payment_status to identify prior exploitation attempts.

Patch Information

The vendor addressed the issue in version 1.4.104. The fix is published in WordPress Plugin Changeset 3468174 and documented in the WordPress Plugin Version Change Log. The patched stm_save_user_extra_fields() function restricts which user meta keys can be written from POST data, preventing privileged fields from being modified by non-administrative users.

Workarounds

  • If immediate patching is not possible, restrict access to the WordPress user registration and profile endpoints using a Web Application Firewall (WAF) rule that blocks requests containing the stm_payment_status parameter from non-administrator sessions.
  • Temporarily disable open Subscriber registration on the affected site until the plugin is updated.
  • Implement a server-side filter via a custom mu-plugin to unset the stm_payment_status key from $_POST before the personal_options_update action fires.
bash
# Example WAF rule pattern to block the exploit parameter
# ModSecurity-style rule
SecRule REQUEST_METHOD "@streq POST" \
  "chain,phase:2,deny,status:403,id:1002026,msg:'CVE-2026-1934 Motors plugin payment bypass attempt'"
SecRule ARGS_NAMES "@streq stm_payment_status" "t:lowercase"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechWordpress
  • SeverityMEDIUM
  • CVSS Score4.3
  • EPSS Probability0.03%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-862
  • Technical References
  • WordPress Plugin Code Reference
  • WordPress Plugin Code Reference
  • WordPress Plugin Code Reference
  • WordPress Plugin Changeset 3468174
  • WordPress Plugin Version Change Log
  • Wordfence Vulnerability Report
  • Related CVEs
  • CVE-2025-15369: Xpro Addons Auth Bypass Vulnerability
  • CVE-2026-8610: WordPress TypeSquare Plugin Auth Bypass
  • CVE-2026-8681: WordPress Essential Chat Support Bypass
  • CVE-2025-4202: Multicollab WordPress Auth Bypass Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English