CVE-2025-10494 is a vulnerability classified under CWE-73 (External Control of File Name or Path) found in the 'Motors – Car Dealership & Classified Listings' WordPress plugin developed by stylemix. The flaw exists due to insufficient validation of file paths when deleting user profile pictures, allowing authenticated users with minimal privileges (Subscriber-level or higher) to delete arbitrary files on the hosting server. This arbitrary file deletion can be leveraged to remove critical WordPress files such as wp-config.php, which contains database credentials and configuration details. The deletion of such files can disrupt site availability and integrity and may facilitate remote code execution if attackers manipulate the environment post-deletion. The vulnerability affects all plugin versions up to 1.4.89, with no known patches currently available. The CVSS v3.1 score is 8.1 (high), reflecting network exploitability without user interaction, low attack complexity, and the requirement for low privileges. Although no known exploits are in the wild, the vulnerability poses a significant risk due to the potential for site compromise and data loss. The plugin is commonly used in automotive dealership and classified listing websites, which may be targeted for their business value or data.

For European organizations, this vulnerability presents a critical risk to WordPress-based automotive dealership and classified listing websites. Exploitation can lead to deletion of essential files, causing website downtime, loss of data integrity, and potential full site compromise through remote code execution. This can disrupt business operations, damage reputation, and lead to data breaches involving customer information. Given the automotive sector's importance in Europe, especially in countries with strong automotive industries and digital presence, the impact could extend to supply chain disruptions and loss of customer trust. Additionally, the ease of exploitation by low-privileged users increases the threat surface, especially in environments with multiple user accounts or weak access controls. The lack of public exploits currently provides a window for mitigation but also means organizations must proactively address the vulnerability to avoid future attacks.

Organizations should immediately audit their WordPress installations to identify the use of the 'Motors – Car Dealership & Classified Listings' plugin and confirm the version in use. Since no official patch is currently available, temporary mitigations include restricting user roles to minimize Subscriber-level access where not necessary and implementing strict file system permissions to prevent unauthorized file deletions by the web server user. Web application firewalls (WAFs) can be configured to detect and block suspicious file deletion requests targeting profile pictures or critical files. Monitoring logs for unusual file deletion activities is essential for early detection. Organizations should also prepare to apply patches promptly once released by stylemix and consider isolating affected sites in segmented network zones to limit lateral movement in case of exploitation. Regular backups of WordPress files and databases should be maintained to enable quick recovery from file deletion attacks.