CVE-2026-3892
HIGH · 8.1Day-zero chatter; no PoC, no KEV, no patch signal; pure feed republishing.
What: Arbitrary file deletion vulnerability in Motors WordPress plugin (versions ≤1.4.107) allowing authenticated subscribers to delete arbitrary server files via path traversal in logo upload. CVSS 8.1 (HIGH).
Why it matters: Published today with high CVSS score and clear attack vector (authenticated, subscriber+), but not yet KEV-listed. No public PoC, vendor patch status, or confirmed in-the-wild exploitation mentioned in social chatter. Chatter is purely automated CVE feed republishing with no defender triage signals.
Where it's seen: Generic CVE aggregator posts and vendor security alerts (Patchstack, The Hacker Wire, Kaitan) spreading the NVD description verbatim across Bluesky and Twitter. No tactical discussion, no patch confirmation, no affected site reports.
RISK: HIGH — Authenticated RCE pathway via file deletion on WordPress sites; high CVSS; broad WordPress install base.
Description
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.4.107. This is due to insufficient file path validation in the become-dealer logo upload flow. The plugin allows any authenticated user to set an arbitrary filesystem path via the profile update handler. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary files on the server.
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H- Attack vector
- Network
- Complexity
- Low
- Privileges required
- Low
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- None
- Integrity
- High
- Availability
- High