Skip to main content

Motors WordPress Plugin EUVDEUVD-2026-30247

| CVE-2026-3892 HIGH
External Control of File Name or Path (CWE-73)
2026-05-14 Wordfence GHSA-9cxh-6r98-3gc8
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 08:50 vuln.today
CVE Published
May 14, 2026 - 06:44 nvd
HIGH 8.1

DescriptionCVE.org

The Motors - Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.4.107. This is due to insufficient file path validation in the become-dealer logo upload flow. The plugin allows any authenticated user to set an arbitrary filesystem path via the profile update handler. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary files on the server.

AnalysisAI

Arbitrary file deletion in the Motors - Car Dealership & Classified Listings Plugin for WordPress (versions up to and including 1.4.107) allows authenticated users with subscriber-level access or higher to delete arbitrary files on the server by supplying a malicious filesystem path through the become-dealer logo upload flow. The flaw was reported by Wordfence and carries a CVSS of 8.1, but EPSS remains very low (0.05%) and CISA SSVC reports no observed exploitation, indicating risk is theoretical rather than active. No public exploit identified at time of analysis.

Technical ContextAI

The vulnerability resides in the Motors plugin by Stylemix (CPE cpe:2.3:a:stylemix:motors_-_car_dealership_&_classified_listings_plugin), specifically in the profile update handler that processes the 'become-dealer' logo upload workflow. CWE-73 (External Control of File Name or Path) applies here: the plugin accepts an attacker-supplied filesystem path without sufficient validation or canonicalization, allowing the path to escape the intended upload/profile directory. Because WordPress runs the plugin in the same process as the rest of the site, deletion of files such as wp-config.php can trigger the WordPress setup flow, which is a known escalation path from arbitrary file deletion to full site takeover.

RemediationAI

Upstream fix available (WordPress.org plugin changeset 3505874); a released patched version above 1.4.107 should be installed via the WordPress plugin updater as the primary remediation - consult the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/52cbc6a4-9825-4b26-8653-0c75cf5247c5 and the changeset at https://plugins.trac.wordpress.org/changeset/3505874/ for the authoritative fix. Until the update is applied, disable open user registration in WordPress settings (Settings → General → 'Anyone can register') to remove the subscriber-level access that is required for exploitation, accepting the trade-off that legitimate self-service signups will be blocked. As a stronger short-term control, deactivate the Motors plugin or restrict access to the become-dealer/profile update endpoints via a WAF rule (e.g., Wordfence) and audit existing subscriber accounts for unfamiliar registrations; deactivation will break dealership listing functionality but eliminates the vulnerable code path entirely.

Share

EUVD-2026-30247 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy