CVE-2025-10494
BaseFortify
Publication date: 2025-10-08
Last updated on: 2025-10-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| motors | car_dealership_classified_listings_plugin | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Motors β Car Dealership & Classified Listings Plugin for WordPress, where insufficient validation of file paths allows authenticated users with Subscriber-level access or higher to delete arbitrary files on the server. This happens when deleting profile pictures, and it can lead to serious consequences such as remote code execution if critical files like wp-config.php are deleted.
How can this vulnerability impact me? :
The vulnerability can allow an attacker with low-level authenticated access to delete important files on the server, potentially causing denial of service or enabling remote code execution. This could compromise the entire website, leading to data loss, website defacement, or full server takeover.