WordPress Motors Plugin: Authenticated File Deletion Vulnerability (CVE-2026-3892)
The National Vulnerability Database has issued an advisory for CVE-2026-3892, impacting the Motors – Car Dealership & Classified Listings Plugin for WordPress. All versions up to, and including, 1.4.107 are vulnerable to arbitrary file deletion. This critical flaw stems from insufficient file path validation within the plugin’s ‘become-dealer’ logo upload function.
Specifically, the plugin’s profile update handler allows any authenticated user to specify an arbitrary filesystem path. This means a low-privileged authenticated attacker, with subscriber-level access or higher, can exploit this to delete any file on the server. The National Vulnerability Database assigns a CVSS score of 8.1 (HIGH) to this vulnerability, highlighting the significant impact on availability and integrity.
For defenders, this is a clear and present danger. An attacker doesn’t need to be an admin; a standard user account is enough to wipe critical server files. This isn’t just about defacement; it’s about system instability, denial of service, and potentially paving the way for further compromise by removing security logs or configuration files.
What This Means For You
- If your organization uses the Motors – Car Dealership & Classified Listings Plugin for WordPress, you need to verify your version immediately. Patching is paramount to prevent any authenticated user from deleting arbitrary files on your server. Audit your WordPress user roles and ensure least privilege is enforced, especially for subscriber-level accounts.
Related ATT&CK Techniques
🛡️ Detection Rules
1 rule · 6 SIEM formats1 detection rule auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Exploitation Attempt — CVE-2026-3892
title: Exploitation Attempt — CVE-2026-3892
id: scw-2026-05-14-evt-1
status: experimental
level: high
description: |
Monitor for exploitation attempts targeting CVE-2026-3892. Patch immediately if running affected CVE-2026-3892 products.
author: SCW Feed Engine (auto-generated)
date: 2026-05-14
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-3892/
tags:
- attack.general
- attack.vulnerability
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- 'CVE-2026-3892'
sc-status:
- 200
- 500
condition: selection
falsepositives:
- Legitimate activity from CVE-2026-3892
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-3892 | Arbitrary File Deletion | Motors - Car Dealership & Classified Listings Plugin for WordPress <= 1.4.107 |
| CVE-2026-3892 | Arbitrary File Deletion | Insufficient file path validation in become-dealer logo upload flow |
| CVE-2026-3892 | Arbitrary File Deletion | Authenticated users (subscriber level and above) can set arbitrary filesystem path via profile update handler |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 14, 2026 at 10:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6670 — Path Traversal
CVE-2026-6670 — The Media Sync plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.9 via the 'sub_dir' and...
CVE-2026-6510: Critical Privilege Escalation in InfusedWoo Pro WordPress Plugin
CVE-2026-6510 — The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via missing authorization in all versions up to, and including, 5.1.2. This...
InfusedWoo Pro Plugin Privilege Escalation (CVE-2026-6506)
CVE-2026-6506 — The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.1.2. This is due to...