PT-2026-40884 · WordPress · Motors – Car Dealership & Classified Listings Plugin

Leonid Semenenko

·

Published

2026-05-14

·

Updated

2026-05-14

·

CVE-2026-3892

CVSS v3.1

8.1

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Name of the Vulnerable Software and Affected Versions The Motors – Car Dealership & Classified Listings Plugin versions prior to 1.4.108
Description Insufficient file path validation in the become-dealer logo upload flow allows authenticated users with subscriber level access and above to delete arbitrary files on the server. This occurs because the profile update handler permits the setting of an arbitrary filesystem path.
Recommendations Update the plugin to a version later than 1.4.107.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-3892

Affected Products

Motors – Car Dealership & Classified Listings Plugin