PT-2026-40884 · WordPress · Motors – Car Dealership & Classified Listings Plugin
Leonid Semenenko
·
Published
2026-05-14
·
Updated
2026-05-14
·
CVE-2026-3892
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
The Motors – Car Dealership & Classified Listings Plugin versions prior to 1.4.108
Description
Insufficient file path validation in the become-dealer logo upload flow allows authenticated users with subscriber level access and above to delete arbitrary files on the server. This occurs because the profile update handler permits the setting of an arbitrary filesystem path.
Recommendations
Update the plugin to a version later than 1.4.107.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Motors – Car Dealership & Classified Listings Plugin