Skip to content
Threat Feed
medium advisory

CVE-2026-3892 - WordPress Motors Plugin Arbitrary File Deletion

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion in versions up to 1.4.107 due to insufficient file path validation in the become-dealer logo upload flow, allowing authenticated attackers with subscriber level access and above to delete arbitrary files on the server.

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion. This vulnerability, identified as CVE-2026-3892, affects all versions up to and including 1.4.107. The flaw lies in the insufficient validation of file paths during the become-dealer logo upload process. This allows authenticated users, even those with subscriber-level access, to manipulate the file path and delete arbitrary files on the server. Successful exploitation could lead to denial of service or other malicious activities. Defenders need to ensure the plugin is updated or implement mitigations to prevent unauthorized file deletion.

Attack Chain

  1. An attacker authenticates to the WordPress site with subscriber-level or higher privileges.
  2. The attacker navigates to the profile settings page where the “become-dealer” logo upload functionality is available.
  3. The attacker crafts a malicious request containing a manipulated file path to the target file they wish to delete.
  4. The malicious file path is submitted through the profile update handler, bypassing insufficient validation checks.
  5. The plugin attempts to process the request, utilizing the provided file path to delete the specified file.
  6. Due to the insufficient validation, the plugin successfully deletes the arbitrary file on the server’s filesystem.
  7. The attacker verifies the deletion of the targeted file.
  8. The attacker can repeat this process to delete other arbitrary files, causing denial of service or further compromise.

Impact

Successful exploitation of this vulnerability allows authenticated attackers with minimal privileges to delete arbitrary files on the WordPress server. This can result in data loss, website defacement, or complete denial of service. A CVSS v3.1 base score of 8.1 indicates a high severity risk. While the exact number of affected websites is unknown, any WordPress site using a vulnerable version of The Motors plugin is potentially at risk.

Recommendation

  • Upgrade The Motors – Car Dealership & Classified Listings Plugin to the latest version to patch CVE-2026-3892.
  • Deploy the Sigma rule Detect Motors Plugin Arbitrary File Deletion Attempt to identify potential exploitation attempts.
  • Implement strict file path validation on all file upload functionalities to prevent similar vulnerabilities in other plugins.

Detection coverage 1

Detect Motors Plugin Arbitrary File Deletion Attempt

high

Detects CVE-2026-3892 exploitation attempt — Malicious requests to update the profile with a crafted file path, targeting arbitrary file deletion.

sigma tactics: impact techniques: T1485 sources: webserver

Detection queries are available on the platform. Get full rules →