CVE-2025-2808: 
WordPress vulnerability analysis and mitigation

The Motors – Car Dealership & Classified Listings Plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-2808) discovered on April 7, 2025. The vulnerability affects all versions up to and including 1.4.63. This security flaw exists in the Phone Number parameter due to insufficient input sanitization and output escaping (NVD).

The vulnerability is classified as a CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 Base Score of 5.4 (MEDIUM). The vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, low privileges required, user interaction required, and potential for both confidentiality and integrity impacts (NVD).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially compromising user data and website integrity (NVD).

A fix has been implemented in version 1.4.65 of the plugin, which includes improved input sanitization for the phone number parameter. The update specifically adds proper sanitization using preg_replace to filter out non-numeric characters and implements proper escaping (WordPress Plugin).