CVE-2024-13737: 
WordPress vulnerability analysis and mitigation

The Motors – Car Dealer, Classifieds & Listing plugin for WordPress (CVE-2024-13737) contains a vulnerability related to unauthorized modification of data due to missing capability checks in the motorscreatetemplate and motorsdeletetemplate functions in versions up to 1.4.57. This vulnerability was discovered and disclosed on March 21, 2025 (NVD).

The vulnerability stems from insufficient authorization checks in two key functions: motorscreatetemplate and motorsdeletetemplate. The issue requires the Elementor plugin to be installed, which is a required plugin for Motors Starter Theme. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The weakness is categorized as CWE-862 (Missing Authorization) (NVD).

When exploited, this vulnerability allows authenticated attackers with Subscriber-level access or higher to delete arbitrary posts or create listing templates, potentially leading to unauthorized modification of website content (NVD).

The vulnerability has been patched in version 1.4.58 of the Motors – Car Dealer, Classifieds & Listing plugin. The fix implements proper capability checks requiring 'manage_options' permissions for both template creation and deletion functions (WordPress Patch).