Description
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation when deleting profile pictures in all versions up to, and including, 1.4.89. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Published: 2025-10-08
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Motors – Car Dealership & Classified Listings Plugin for WordPress suffers from insufficient file path validation when deleting user profile pictures. This flaw permits an authenticated user with as little as Subscriber-level privileges to specify arbitrary file paths, leading to deletion of any writable file on the server. Removing or replacing critical files such as wp-config.php can result in remote code execution or site compromise. The weakness is a file‑path traversal/validation issue (CWE‑73).

Affected Systems

All releases of the Motors – Car Dealership & Classified Listings Plugin from stylemix up to and including version 1.4.89 are affected. Any installation of the plugin at these versions on a WordPress site is vulnerable, regardless of WordPress core version.

Risk and Exploitability

The CVSS score of 8.1 classifies the issue as critical, though the EPSS score of less than 1% suggests low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. An attacker must be authenticated with at least Subscriber permissions, then exploit the profile picture deletion endpoint by providing an untrusted path. Because the plugin lacks strict path validation, the attacker can target any file within writable directories, providing a direct route to delete configuration files or inject malicious code.

Generated by OpenCVE AI on April 22, 2026 at 00:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Motors – Car Dealership & Classified Listings Plugin to a version newer than 1.4.89 that implements proper file path validation; if no update is available, uninstall the plugin.
  • Modify the plugin’s authorization logic to require Administrator or higher capability for profile picture deletion, preventing low‑privilege users from triggering file deletion.
  • Enhance file‑system security by setting strict permissions on critical files (e.g., wp-config.php) and employing a Web Application Firewall or file integrity monitoring to detect and block unauthorized deletion attempts.

Generated by OpenCVE AI on April 22, 2026 at 00:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Oct 2025 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Stylemix
Stylemix motors
Wordpress
Wordpress wordpress
Vendors & Products Stylemix
Stylemix motors
Wordpress
Wordpress wordpress

Wed, 08 Oct 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation when deleting profile pictures in all versions up to, and including, 1.4.89. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title Motors – Car Dealership & Classified Listings Plugin <= 1.4.89 - Authenticated (Subscriber+) Arbitrary File Deletion
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Stylemix Motors
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:00.444Z

Reserved: 2025-09-15T19:08:52.795Z

Link: CVE-2025-10494

cve-icon Vulnrichment

Updated: 2025-10-08T14:20:02.902Z

cve-icon NVD

Status : Deferred

Published: 2025-10-08T04:16:11.527

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10494

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:00:04Z

Weaknesses