Arbitrary File Deletion in Motors Plugin for WordPress
CVE-2025-10494

8.1HIGH

Key Information:

Vendor: WordPress
Status: Motors – Car Dealership & Classified Listings Plugin
Vendor: CVE Published:; 8 October 2025

What is CVE-2025-10494?

The Motors – Car Dealership & Classified Listings Plugin for WordPress has a vulnerability that allows authenticated users, starting from Subscriber-level access, to exploit insufficient file path validation when deleting profile pictures. This flaw can lead to the deletion of arbitrary files from the server, which poses a significant risk, especially if critical files such as wp-config.php are targeted. Site owners should urgently address this issue by updating to the latest version of the plugin and implementing robust security measures to safeguard their WordPress installations.

Affected Version(s)

Motors – Car Dealership & Classified Listings Plugin * <= 1.4.89

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 8, 2025
Vulnerability Reserved
Sep 15, 2025

Credit

Kishan Vyas

JSON