A high-severity vulnerability has been identified in the "Motors – Car Dealership & Classified Listings" WordPress plugin, which could allow an attacker to delete arbitrary files on the server. Successful exploitation could lead to website defacement, denial of service, or complete site compromise by removing critical configuration or security files. Organizations using this plugin are urged to apply the recommended remediation actions immediately to mitigate the risk.

The vulnerability exists due to insufficient input validation on the file path used when a user deletes their profile picture. An authenticated attacker can manipulate the file path parameter, using path traversal sequences (e.g., ../../), to target and delete files outside of the intended media directory. This could include critical WordPress core files, theme files, or server configuration files like wp-config.php or .htaccess, leading to a variety of impacts including a complete denial of service.

This vulnerability is rated as High severity with a CVSS score of 8.1. Exploitation could have a significant business impact by causing a complete website outage if critical files like wp-config.php or core application files are deleted. This leads to reputational damage, loss of customer trust, and potential revenue loss while the site is down. Furthermore, an attacker could delete security-related files (e.g., .htaccess) to disable security controls, creating an opportunity for subsequent, more severe attacks. Restoring the website from backups may be required, resulting in data loss and significant administrative overhead.

Immediate Action: Immediately update the "Motors – Car Dealership & Classified Listings" plugin to the latest available version provided by the vendor, which contains a patch for this vulnerability. If the plugin is not critical to business operations, consider deactivating and removing it entirely to eliminate the attack surface.

Proactive Monitoring: Monitor web server access logs for suspicious POST requests to the profile picture deletion function, specifically looking for path traversal payloads (e.g., ../, %2e%2e/) in the request parameters. Implement a file integrity monitoring (FIM) solution to alert on unauthorized changes or deletions of critical WordPress core files, theme/plugin files, and server configuration files.

Compensating Controls: If patching cannot be performed immediately, implement a Web Application Firewall (WAF) with rules designed to detect and block path traversal attacks. Enforce strict file system permissions to ensure the web server's user account cannot write to or delete files outside of its designated directories (e.g., the /uploads folder). Maintain and test a regular off-site backup schedule to ensure rapid recovery in the event of a successful attack.

Public Exploit Available: false

Given the high CVSS score of 8.1 and the critical impact of arbitrary file deletion, it is strongly recommended that organizations patch this vulnerability with the highest priority. The risk of a complete website denial of service is substantial. All internet-facing WordPress sites using the affected plugin should be identified and updated immediately. If patching is delayed, the compensating controls outlined above, particularly a WAF and strict file permissions, should be implemented as an urgent interim measure.