CVE-2025-10494

CVE-2025-10494 is an arbitrary file deletion vulnerability in the Motors – Car Dealership & Classified Listings Plugin for WordPress, affecting all versions up to and including 1.4.89. The issue arises from insufficient file path validation when deleting profile pictures, allowing attackers to target arbitrary files on the server. It carries a CVSS 3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and is associated with CWE-73 (External Control of File Name or Path).

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely without user interaction. By manipulating file paths during profile picture deletion, they can delete any file on the server, potentially leading to remote code execution—for instance, by targeting critical files like wp-config.php.

Advisories point to mitigation through updating the plugin, with a fix reflected in WordPress plugin repository changeset 3369415. Additional details are available in the Wordfence threat intelligence report.