CVE-2025-2807: 
WordPress vulnerability analysis and mitigation

The Motors – Car Dealership & Classified Listings Plugin for WordPress contains a vulnerability (CVE-2025-2807) related to arbitrary plugin installations. The vulnerability exists in versions up to and including 1.4.64, due to a missing capability check in the mvlsetupwizardinstallplugin() function. This security flaw was discovered and reported on April 7, 2025 (NVD).

The vulnerability stems from a missing authorization check in the mvlsetupwizardinstallplugin() function. The issue has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-862 (Missing Authorization) (NVD, Wordfence).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to install and activate arbitrary plugins on the affected site's server. This capability could potentially lead to remote code execution, giving attackers significant control over the affected WordPress installation (NVD).

A fix has been implemented in version 1.4.65 of the plugin, which adds proper capability checks before allowing plugin installations. The patch can be found in the WordPress Plugin Repository, where the ajaxactions.php file was modified to include appropriate authorization checks ([WordPress Plugin](https://plugins.trac.wordpress.org/changeset/3262748/motors-car-dealership-classified-listings/trunk/includes/admin/setup-wizard/includes/ajaxactions.php)).