CVE-2025-10494 is a vulnerability classified under CWE-73 (External Control of File Name or Path) found in the Motors – Car Dealership & Classified Listings Plugin for WordPress. This plugin, widely used to manage car dealership and classified listings, suffers from insufficient validation of file paths when deleting profile pictures. Authenticated attackers with as low as Subscriber-level privileges can exploit this flaw to delete arbitrary files on the hosting server. The vulnerability arises because the plugin does not properly sanitize or restrict the file path input, allowing path traversal or direct file targeting. Critical files such as wp-config.php, which contains database credentials and configuration settings, can be deleted, potentially causing denial of service or enabling further attacks like remote code execution if attackers replace or manipulate files afterward. The CVSS v3.1 score of 8.1 reflects the ease of exploitation (network attack vector, low attack complexity, no user interaction) and the high impact on integrity and availability, although confidentiality impact is rated none. The vulnerability affects all versions up to and including 1.4.89, with no patch currently linked. While no active exploits are publicly known, the risk remains significant due to the plugin’s popularity and the critical nature of the affected files. The vulnerability was reserved and published in late 2025, with Wordfence as the assigner. This flaw highlights the importance of strict input validation and least privilege principles in WordPress plugins, especially those handling file operations.

The impact of CVE-2025-10494 is substantial for organizations using the affected plugin. Arbitrary file deletion can disrupt website functionality, leading to denial of service conditions if essential files like wp-config.php or core WordPress files are removed. This can cause downtime, loss of business continuity, and damage to reputation. Furthermore, deletion of configuration files may open avenues for attackers to upload malicious files or execute remote code, escalating the attack from file deletion to full system compromise. Since the vulnerability requires only Subscriber-level authentication, it lowers the barrier for exploitation, increasing risk from insider threats or compromised low-privilege accounts. The widespread use of WordPress and the plugin in automotive and classified listing sectors means many small to medium businesses could be affected, potentially resulting in data loss, service interruptions, and increased incident response costs. The absence of known exploits in the wild suggests a window for proactive mitigation, but the high CVSS score indicates urgency in addressing the vulnerability to prevent future attacks.

1. Immediate mitigation involves updating the plugin to a patched version once available; monitor the vendor’s announcements for official patches. 2. Until a patch is released, restrict Subscriber-level users from accessing file deletion functionalities via role hardening or custom capability restrictions using WordPress role management plugins. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious file deletion requests, especially those containing path traversal patterns. 4. Regularly back up WordPress files and databases to enable rapid restoration if critical files are deleted. 5. Employ file integrity monitoring tools to alert administrators of unexpected file deletions or modifications. 6. Harden server permissions to limit the WordPress process’s ability to delete or modify critical files outside designated directories. 7. Conduct security audits of installed plugins to identify and remediate similar path validation issues. 8. Educate users and administrators about the risks of low-privilege account compromise and enforce strong authentication mechanisms. These steps collectively reduce the risk of exploitation and limit potential damage.