Security Alert Summary
The Motors – Car Dealership & Classified Listings Plugin for WordPress contains a vulnerability that allows authenticated users to delete arbitrary files on the server. The issue exists in the become-dealer logo upload flow and is caused by insufficient file path validation in the profile update handler. Users with subscriber-level access and above can trigger this behavior.
CVE Details
- CVE ID: CVE-2026-3892
- Affected component: The Motors – Car Dealership & Classified Listings Plugin for WordPress
- Affected versions: All versions up to, and including, 1.4.107
- Published: May 14, 2026 7:16:19 AM
- Last modified: May 14, 2026 2:28:41 PM
- CVSS v3.1: Base Score 8.1, Severity HIGH; Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H - Authentication / Privileges / User interaction: Authentication required (authenticated user). Privileges required: Low (subscriber-level access and above). User interaction: None.
- Primary impact: Integrity: High; Availability: High; Confidentiality: None
- CWE: CWE-73 (relative path traversal / incorrect file path handling)
Technical Details
The vulnerability stems from insufficient validation of file paths in the plugin’s become-dealer logo upload flow. The profile update handler accepts a filesystem path supplied by an authenticated user and does not properly validate or restrict that path. Because of this, an authenticated attacker with subscriber-level access or higher can cause the plugin to delete arbitrary files on the server.
The issue is a file path validation flaw: the handler that processes profile updates fails to sanitize or constrain the value used for file operations, enabling arbitrary file deletion when the path provided points to files outside the intended upload area. The CVE description specifically cites the become-dealer logo upload flow and the profile update handler as the locations involved.
The direct impact is the deletion or modification of files on disk, which affects data integrity and can render site components unavailable. The vulnerability description and CVSS data do not indicate data disclosure as a primary effect.
How This Could Impact Your Website
Consider a multi-user WordPress site where the site owner manages plugins and themes, internal staff perform content updates, and external contractors or contributors have subscriber or contributor accounts. An attacker who can authenticate as a subscriber could use the profile update handler to specify filesystem paths that cause important files to be deleted. This could remove uploaded media, plugin files, or other content, leading to broken pages, missing media, or site downtime.
While the reported impact is primarily to integrity and availability rather than data disclosure, deleting logs or backups could make recovery and incident response harder. Reduced integrity and availability can also increase the risk of follow-on attacks or social engineering because service disruption may create confusion among staff or users.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially subscriber and contributor accounts that do not need profile update capabilities.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and server logs for unusual file operations or unexpected deletions.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
