Primary

Context

Motors WordPress Plugin Arbitrary File Deletion Vulnerability

Vulnerability

A vulnerability allowing arbitrary file deletion has been identified in the Motors – Car Dealership & Classified Listings Plugin for WordPress, affecting all versions through 1.4.107. The issue arises from inadequate validation of file paths in the logo upload process, which allows authenticated users with subscriber-level access or higher to delete arbitrary files from the server.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion of files on the server.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level access or higher can upload a logo through the profile update handler. During this process, the user can specify an arbitrary filesystem path, which the plugin does not properly validate. If the path is within the WordPress uploads directory, it can be used to delete files from the server.

Remediation

Users are advised to update the Motors – Car Dealership & Classified Listings Plugin to version 1.4.108 or a newer patched version.

Added: May 14, 2026, 7:32 AM

Updated: May 14, 2026, 7:32 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.3

remediation

0.0

relevance

8.3

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.3

remediation

0.0

relevance

8.3

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Motors WordPress Plugin Arbitrary File Deletion Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Motors

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating