Description
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.4.107. This is due to insufficient file path validation in the become-dealer logo upload flow. The plugin allows any authenticated user to set an arbitrary filesystem path via the profile update handler. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary files on the server.
Published: 2026-05-14
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The weakness lies in the Motors plugin’s dealer logo upload flow where the 'stm_dealer_logo_path' parameter is insufficiently validated. An authenticated user with subscriber-level or higher privileges can submit any filesystem path, causing the plugin to delete the referenced file. This is a classic file deletion path traversal flaw (CWE‑73). The result is that the attacker can remove arbitrary files on the server, potentially including critical configuration files or data, thereby compromising the site’s confidentiality, integrity, and availability.

Affected Systems

The vulnerability affects the Stylemix Motors – Car Dealership & Classified Listings Plugin for WordPress. All instances of version 1.4.107 and earlier are impacted; no later versions are known to be vulnerable.

Risk and Exploitability

With a CVSS score of 8.1 the issue is deemed high severity. The exploit requires authentication—subscriber-level access or higher—which is commonly granted to normal users of the plugin. No EPSS data is publicly available, and it is not listed in CISA KEV. The attack vector is local to the authenticated user; once logged in, the user can delete arbitrary files on the server, potentially leading to further compromise if sensitive files are targeted.

Generated by OpenCVE AI on May 14, 2026 at 08:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Motors plugin to version 1.4.108 or newer, which includes the necessary file path validation fix.
  • If an immediate upgrade is not possible, restrict the file system permissions for the WordPress upload directory and any directories that the plugin can target, removing delete rights for the web server user.
  • Disable the become‑dealer functionality or remove the plugin entirely until a patch is released.

Generated by OpenCVE AI on May 14, 2026 at 08:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.4.107. This is due to insufficient file path validation in the become-dealer logo upload flow. The plugin allows any authenticated user to set an arbitrary filesystem path via the profile update handler. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary files on the server.
Title Motors – Car Dealer, Classifieds & Listing <= 1.4.107 - Authenticated (Subscriber+) Arbitrary File Deletion via 'stm_dealer_logo_path' Parameter
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-14T06:44:10.476Z

Reserved: 2026-03-10T16:42:55.190Z

Link: CVE-2026-3892

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-14T07:16:19.837

Modified: 2026-05-14T07:16:19.837

Link: CVE-2026-3892

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T08:30:16Z

Weaknesses