CVE-2026-3892 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: May 14, 2026
The Motors – Car Dealership & Classified Listings Plugin - Arbitrary File Deletion
Overview
The Motors – Car Dealership & Classified Listings Plugin for WordPress <= 1.4.107 contains an arbitrary file deletion vulnerability caused by insufficient file path validation in the become-dealer logo upload flow, letting authenticated attackers with subscriber access delete arbitrary files on the server.
Severity & Score
Impact
Authenticated attackers can delete arbitrary files on the server, potentially disrupting service or deleting critical data.
Mitigation
Update to the latest version beyond 1.4.107.
References
Social Media Activity(2 posts)
🟠 CVE-2026-3892 - High (8.1) The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.4.107. This is due to insufficient file path validation in the become-dealer logo uplo... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-3892/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
🟠 CVE-2026-3892 - High (8.1) The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.4.107. This is due to insufficient file path validation in the become-dealer logo uplo... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-3892/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-3892
- Severity
- High
- CVSS Score
- 8.1
- Type
- undefined
- Status
- rejected
- EPSS
- 4.7%
- Social Posts
- 2
CWE
- CWE-73
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H