{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/stylemix/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-13114"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Motors – Car Dealership \u0026 Classified Listings Plugin (\u003c= 1.4.112)"],"_cs_severities":["high"],"_cs_tags":["wordpress","xss","web-application","cve","plugin-vulnerability"],"_cs_type":"advisory","_cs_vendors":["Stylemix"],"content_html":"\u003cp\u003eCVE-2026-13114 identifies a Stored Cross-Site Scripting (XSS) vulnerability affecting the \u0026quot;Motors - Car Dealership \u0026amp; Classified Listings Plugin\u0026quot; for WordPress, specifically in all versions up to and including 1.4.112. This flaw stems from insufficient input sanitization and output escaping when handling comment content and user biographical information. The vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages. When a user, including an administrator, subsequently accesses an injected page, the malicious script executes within their browser. This can lead to session hijacking, unauthorized actions on behalf of the victim, or website defacement. Organizations running affected versions of this plugin are at risk of client-side attacks and potential compromise of user accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious JavaScript payload designed to perform actions like stealing session cookies or redirecting users.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a WordPress site using the vulnerable \u0026quot;Motors - Car Dealership \u0026amp; Classified Listings Plugin\u0026quot;.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the crafted malicious script within a comment field or modifies their user biographical information on the vulnerable WordPress site.\u003c/li\u003e\n\u003cli\u003eDue to insufficient input sanitization, the \u0026quot;Motors - Car Dealership \u0026amp; Classified Listings Plugin\u0026quot; stores this malicious payload directly into the WordPress database.\u003c/li\u003e\n\u003cli\u003eA legitimate user, such as a site administrator or another visitor, navigates to a web page where the compromised comment or user profile information is displayed.\u003c/li\u003e\n\u003cli\u003eAs the page renders, the malicious JavaScript previously injected by the attacker executes within the victim's web browser, within the context of the vulnerable website.\u003c/li\u003e\n\u003cli\u003eThe executed script performs its intended action, potentially leading to session hijacking, unauthorized actions on behalf of the victim, or redirection to phishing sites.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-13114 allows unauthenticated attackers to execute arbitrary JavaScript in the browsers of other users who view affected pages. This can lead to a range of client-side attacks, including stealing session cookies, which could allow an attacker to hijack a user's session without needing their login credentials. Attackers could also redirect users to malicious websites, deface the website, or perform actions on the site as the victim, potentially leading to privilege escalation if an administrator's session is compromised. The source does not specify any observed victims or targeted sectors, but any organization using the vulnerable plugin is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the \u0026quot;Motors - Car Dealership \u0026amp; Classified Listings Plugin\u0026quot; for WordPress to a version patched against CVE-2026-13114.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to detect and block common Stored Cross-Site Scripting (XSS) payloads in HTTP request bodies or URL parameters, targeting inputs to comment content and user biographical information fields.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003ewebserver\u003c/code\u003e logs for suspicious HTTP requests containing common XSS payloads, such as \u003ccode\u003e\u0026lt;script\u0026gt;\u003c/code\u003e, \u003ccode\u003eonerror\u003c/code\u003e, or \u003ccode\u003ejavascript:\u003c/code\u003e keywords, particularly in POST request bodies or URL query parameters directed at WordPress endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-11T04:19:25Z","date_published":"2026-07-11T04:19:25Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-13114-wordpress-xss/","summary":"An unauthenticated attacker can exploit CVE-2026-13114, a Stored Cross-Site Scripting vulnerability in the WordPress Motors - Car Dealership \u0026 Classified Listings Plugin versions up to 1.4.112, by injecting arbitrary web scripts into comment content or user biographical information, leading to client-side code execution when a victim views the affected page.","title":"CVE-2026-13114: Stored Cross-Site Scripting in WordPress Motors - Car Dealership \u0026 Classified Listings Plugin","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-13114-wordpress-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - Stylemix","version":"https://jsonfeed.org/version/1.1"}