CVE-2025-32654
📋 TL;DR
This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress sites using the Stylemix Motors plugin (Motors Car Dealership & Classified Listings) up to version 1.4.65, potentially enabling attackers to read sensitive files or execute code.
💻 Affected Systems
- Stylemix Motors WordPress Plugin (Motors Car Dealership & Classified Listings)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through local file inclusion leading to remote code execution, data theft, and complete site takeover.
Likely Case
Sensitive file disclosure (configuration files, database credentials, user data) and limited code execution within web server context.
If Mitigated
Limited impact with proper file permissions, disabled dangerous PHP functions, and restricted web server access.
🎯 Exploit Status
Public exploit details available. Attack requires web-accessible endpoint with vulnerable code path.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.66 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Motors Car Dealership & Classified Listings'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.4.66+ from WordPress repository and manually replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the Motors plugin until patched
wp plugin deactivate motors-car-dealership-classified-listings
Restrict PHP file functions
linuxDisable dangerous PHP functions via php.ini
disable_functions = allow_url_fopen,allow_url_include,exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block file inclusion patterns
- Restrict web server permissions and implement strict file access controls
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Motors Car Dealership & Classified Listings → Version number. If version ≤1.4.65, vulnerable.Check Version:
wp plugin get motors-car-dealership-classified-listings --field=versionVerify Fix Applied:
Confirm plugin version is 1.4.66 or higher. Test vulnerable endpoints with safe payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual file paths in PHP include/require statements
- Access to sensitive files (wp-config.php, /etc/passwd) via web requests
- Multiple 404 errors followed by successful file reads
Network Indicators:
- HTTP requests with file path traversal patterns (../ sequences)
- Requests to plugin-specific endpoints with file parameters
SIEM Query:
web_access_logs WHERE uri CONTAINS 'motors' AND (uri CONTAINS '../' OR uri CONTAINS 'file=' OR uri CONTAINS 'path=') AND response_code=200