{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/the-motors--car-dealership--classified-listings-plugin--1.4.107/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-3892"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["The Motors – Car Dealership \u0026 Classified Listings Plugin \u003c= 1.4.107"],"_cs_severities":["medium"],"_cs_tags":["arbitrary-file-deletion","wordpress","plugin"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Motors – Car Dealership \u0026amp; Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion. This vulnerability, identified as CVE-2026-3892, affects all versions up to and including 1.4.107. The flaw lies in the insufficient validation of file paths during the become-dealer logo upload process. This allows authenticated users, even those with subscriber-level access, to manipulate the file path and delete arbitrary files on the server. Successful exploitation could lead to denial of service or other malicious activities. Defenders need to ensure the plugin is updated or implement mitigations to prevent unauthorized file deletion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress site with subscriber-level or higher privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the profile settings page where the \u0026ldquo;become-dealer\u0026rdquo; logo upload functionality is available.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request containing a manipulated file path to the target file they wish to delete.\u003c/li\u003e\n\u003cli\u003eThe malicious file path is submitted through the profile update handler, bypassing insufficient validation checks.\u003c/li\u003e\n\u003cli\u003eThe plugin attempts to process the request, utilizing the provided file path to delete the specified file.\u003c/li\u003e\n\u003cli\u003eDue to the insufficient validation, the plugin successfully deletes the arbitrary file on the server\u0026rsquo;s filesystem.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the deletion of the targeted file.\u003c/li\u003e\n\u003cli\u003eThe attacker can repeat this process to delete other arbitrary files, causing denial of service or further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows authenticated attackers with minimal privileges to delete arbitrary files on the WordPress server. This can result in data loss, website defacement, or complete denial of service. A CVSS v3.1 base score of 8.1 indicates a high severity risk. While the exact number of affected websites is unknown, any WordPress site using a vulnerable version of The Motors plugin is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade The Motors – Car Dealership \u0026amp; Classified Listings Plugin to the latest version to patch CVE-2026-3892.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Motors Plugin Arbitrary File Deletion Attempt\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement strict file path validation on all file upload functionalities to prevent similar vulnerabilities in other plugins.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T07:17:45Z","date_published":"2026-05-14T07:17:45Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-3892/","summary":"The Motors – Car Dealership \u0026 Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion in versions up to 1.4.107 due to insufficient file path validation in the become-dealer logo upload flow, allowing authenticated attackers with subscriber level access and above to delete arbitrary files on the server.","title":"CVE-2026-3892 - WordPress Motors Plugin Arbitrary File Deletion","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-3892/"}],"language":"en","title":"CraftedSignal Threat Feed — The Motors – Car Dealership \u0026 Classified Listings Plugin \u003c= 1.4.107","version":"https://jsonfeed.org/version/1.1"}