Arbitrary File Deletion in Motors - Car Dealership & Classified Listings Plugin for WordPress
CVE-2026-3892

8.1HIGH

Key Information:

Vendor: WordPress
Status: Motors – Car Dealership & Classified Listings Plugin
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-3892?

The Motors – Car Dealership & Classified Listings Plugin for WordPress is susceptible to an arbitrary file deletion vulnerability in all versions up to and including 1.4.107. This issue arises from inadequate validation of file paths during the logo upload process for users upgrading to dealer profiles. An authenticated user with subscriber-level access or higher can exploit this flaw, potentially enabling them to delete arbitrary files from the server, which poses significant risks to web application integrity and security.

Affected Version(s)

Motors – Car Dealership & Classified Listings Plugin 0 <= 1.4.107

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3505874/

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Mar 10, 2026

Credit

Leonid Semenenko

CVE-2026-3892 Data

JSON