Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The Motors - Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.4.107. This is due to insufficient file path validation in the become-dealer logo upload flow. The plugin allows any authenticated user to set an arbitrary filesystem path via the profile update handler. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary files on the server.
AnalysisAI
Arbitrary file deletion in the Motors - Car Dealership & Classified Listings Plugin for WordPress (versions up to and including 1.4.107) allows authenticated users with subscriber-level access or higher to delete arbitrary files on the server by supplying a malicious filesystem path through the become-dealer logo upload flow. The flaw was reported by Wordfence and carries a CVSS of 8.1, but EPSS remains very low (0.05%) and CISA SSVC reports no observed exploitation, indicating risk is theoretical rather than active. No public exploit identified at time of analysis.
Technical ContextAI
The vulnerability resides in the Motors plugin by Stylemix (CPE cpe:2.3:a:stylemix:motors_-_car_dealership_&_classified_listings_plugin), specifically in the profile update handler that processes the 'become-dealer' logo upload workflow. CWE-73 (External Control of File Name or Path) applies here: the plugin accepts an attacker-supplied filesystem path without sufficient validation or canonicalization, allowing the path to escape the intended upload/profile directory. Because WordPress runs the plugin in the same process as the rest of the site, deletion of files such as wp-config.php can trigger the WordPress setup flow, which is a known escalation path from arbitrary file deletion to full site takeover.
RemediationAI
Upstream fix available (WordPress.org plugin changeset 3505874); a released patched version above 1.4.107 should be installed via the WordPress plugin updater as the primary remediation - consult the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/52cbc6a4-9825-4b26-8653-0c75cf5247c5 and the changeset at https://plugins.trac.wordpress.org/changeset/3505874/ for the authoritative fix. Until the update is applied, disable open user registration in WordPress settings (Settings → General → 'Anyone can register') to remove the subscriber-level access that is required for exploitation, accepting the trade-off that legitimate self-service signups will be blocked. As a stronger short-term control, deactivate the Motors plugin or restrict access to the become-dealer/profile update endpoints via a WAF rule (e.g., Wordfence) and audit existing subscriber accounts for unfamiliar registrations; deactivation will break dealership listing functionality but eliminates the vulnerable code path entirely.
Stored cross-site scripting in the StyleMix Motors - Car Dealership & Classified Listings plugin for WordPress (all vers
Authorization bypass in the Motors - Car Dealership & Classified Listings Plugin for WordPress allows authenticated subs
Same weakness CWE-73 – External Control of File Name or Path
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30247
GHSA-9cxh-6r98-3gc8