{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10494", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-15T19:08:52.795Z", "datePublished": "2025-10-08T03:31:32.827Z", "dateUpdated": "2026-04-08T17:30:00.444Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:00.444Z"}, "affected": [{"vendor": "stylemix", "product": "Motors \u2013 Car Dealership & Classified Listings Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4.89", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Motors \u2013 Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation when deleting profile pictures in all versions up to, and including, 1.4.89. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "title": "Motors \u2013 Car Dealership & Classified Listings Plugin <= 1.4.89 - Authenticated (Subscriber+) Arbitrary File Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e6066890-75b9-468d-9f67-78e93f58dcc1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3369415%40motors-car-dealership-classified-listings%2Ftrunk&old=3367132%40motors-car-dealership-classified-listings%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-73 External Control of File Name or Path", "cweId": "CWE-73", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kishan Vyas"}], "timeline": [{"time": "2025-09-19T17:13:44.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-07T14:44:40.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-08T14:19:58.436467Z", "id": "CVE-2025-10494", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-08T14:20:09.274Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10494", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-08T14:19:58.436467Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-08T14:20:02.902Z"}}], "cna": {"title": "Motors \u2013 Car Dealership & Classified Listings Plugin <= 1.4.89 - Authenticated (Subscriber+) Arbitrary File Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Kishan Vyas"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"}}], "affected": [{"vendor": "stylemix", "product": "Motors \u2013 Car Dealership & Classified Listings Plugin", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.4.89"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-19T17:13:44.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-07T14:44:40.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e6066890-75b9-468d-9f67-78e93f58dcc1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3369415%40motors-car-dealership-classified-listings%2Ftrunk&old=3367132%40motors-car-dealership-classified-listings%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Motors \u2013 Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation when deleting profile pictures in all versions up to, and including, 1.4.89. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-08T03:31:32.827Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10494", "state": "PUBLISHED", "dateUpdated": "2025-10-08T14:20:09.274Z", "dateReserved": "2025-09-15T19:08:52.795Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-08T03:31:32.827Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Motors \u2013 Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation when deleting profile pictures in all versions up to, and including, 1.4.89. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "id": "CVE-2025-10494", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-08T04:16:11.527", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3369415%40motors-car-dealership-classified-listings%2Ftrunk&old=3367132%40motors-car-dealership-classified-listings%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e6066890-75b9-468d-9f67-78e93f58dcc1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:45:33.866685+00:00", "value": {"mitigation_remediation": ["Upgrade the Motors \u2013 Car Dealership & Classified Listings Plugin to a version newer than 1.4.89 that implements proper file path validation; if no update is available, uninstall the plugin.", "Modify the plugin\u2019s authorization logic to require Administrator or higher capability for profile picture deletion, preventing low\u2011privilege users from triggering file deletion.", "Enhance file\u2011system security by setting strict permissions on critical files (e.g., wp-config.php) and employing a Web Application Firewall or file integrity monitoring to detect and block unauthorized deletion attempts."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All releases of the Motors \u2013 Car Dealership & Classified Listings Plugin from stylemix up to and including version 1.4.89 are affected. Any installation of the plugin at these versions on a WordPress site is vulnerable, regardless of WordPress core version.", "description_and_impact": "The Motors \u2013 Car Dealership & Classified Listings Plugin for WordPress suffers from insufficient file path validation when deleting user profile pictures. This flaw permits an authenticated user with as little as Subscriber-level privileges to specify arbitrary file paths, leading to deletion of any writable file on the server. Removing or replacing critical files such as wp-config.php can result in remote code execution or site compromise. The weakness is a file\u2011path traversal/validation issue (CWE\u201173).", "risk_and_exploitability": "The CVSS score of 8.1 classifies the issue as critical, though the EPSS score of less than 1% suggests low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. An attacker must be authenticated with at least Subscriber permissions, then exploit the profile picture deletion endpoint by providing an untrusted path. Because the plugin lacks strict path validation, the attacker can target any file within writable directories, providing a direct route to delete configuration files or inject malicious code."}}}}, "created": "2025-10-08T13:35:07.530918+00:00", "updated": "2026-04-22T01:00:04.350398+00:00", "vendors": ["stylemix", "stylemix$PRODUCT$motors", "wordpress", "wordpress$PRODUCT$wordpress"]}