Motors – Car Dealership & Classified Listings Plugin

8.1 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Description

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation when deleting profile pictures in all versions up to, and including, 1.4.89. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Basic Information

ID CVE-2025-10494

Source Wordfence

Published Oct 8, 2025 at 03:31

Affected Product

Vendor stylemix

Product Motors – Car Dealership & Classified Listings Plugin

Version *

Affected Versions stylemix Motors – Car Dealership & Classified Listings Plugin *

CWE Classification

CWE-73

References

{
    "lastseen": "",
    "description": "The Motors \u2013 Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation when deleting profile pictures in all versions up to, and including, 1.4.89. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).",
    "published": "2025-10-08T03:31:32.827Z",
    "modified": "2025-10-08T03:31:32.827Z",
    "type": "cve",
    "title": "Motors \u2013 Car Dealership & Classified Listings Plugin <= 1.4.89 - Authenticated (Subscriber+) Arbitrary File Deletion",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e6066890-75b9-468d-9f67-78e93f58dcc1?source=cve\nhttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3369415%40motors-car-dealership-classified-listings%2Ftrunk&old=3367132%40motors-car-dealership-classified-listings%2Ftrunk&sfp_email=&sfph_mail=",
    "id": "CVE-2025-10494",
    "bulletinFamily": "",
    "cwe": [
        "CWE-73"
    ],
    "cvelist": null,
    "sourceData": "stylemix Motors \u2013 Car Dealership & Classified Listings Plugin *",
    "sourceHref": "",
    "cvss": {
        "score": 8.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Motors \u2013 Car Dealership & Classified Listings Plugin",
    "version": "*",
    "vendor": "stylemix",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Motors – Car Dealership & Classified Listings Plugin <= 1.4.89 - Authenticated (Subscriber+) Arbitrary File Deletion_CVE-2025-10494