CVE-2025-10494
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to delete arbitrary files on the server due to insufficient file path validation in the Motors plugin. Attackers can achieve remote code execution by deleting critical files like wp-config.php. All WordPress sites using vulnerable versions of the Motors plugin are affected.
💻 Affected Systems
- Motors – Car Dealership & Classified Listings Plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise through remote code execution leading to data theft, defacement, or malware installation
Likely Case
Site disruption through deletion of critical files causing downtime and potential data loss
If Mitigated
Limited impact if proper file permissions and access controls prevent exploitation
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.90
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Motors plugin
4. Click 'Update Now' if available
5. Or download version 1.4.90+ from WordPress repository
6. Upload and replace existing plugin files
🔧 Temporary Workarounds
Disable plugin temporarily
allDeactivate the Motors plugin until patched
wp plugin deactivate motors-car-dealership-classified-listings
Restrict file permissions
linuxSet strict permissions on critical WordPress files
chmod 400 wp-config.php
chmod 400 .htaccess
🧯 If You Can't Patch
- Remove Subscriber role access or implement strict user role management
- Implement web application firewall rules to block file deletion requests to the plugin
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Motors plugin version. If version ≤1.4.89, vulnerable.Check Version:
wp plugin get motors-car-dealership-classified-listings --field=versionVerify Fix Applied:
Confirm plugin version is 1.4.90 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion requests in web server logs targeting /wp-content/plugins/motors-car-dealership-classified-listings/
Network Indicators:
- HTTP POST requests to plugin endpoints with file path parameters
SIEM Query:
source="web_server_logs" AND (uri="/wp-content/plugins/motors-car-dealership-classified-listings/" AND method="POST" AND status=200)🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3369415%40motors-car-dealership-classified-listings%2Ftrunk&old=3367132%40motors-car-dealership-classified-listings%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e6066890-75b9-468d-9f67-78e93f58dcc1?source=cve
