Cette page n'a pas encore été traduite dans votre langue. Affichage du contenu en anglais pendant que nous y travaillons.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-3892: Arbitrary File Access in Motors Plugin
Plateforme
wordpress
Composant
motors-car-dealership-classified-listings
Corrigé dans
1.4.108
CVE-2026-3892 is an arbitrary file access vulnerability discovered in the Motors – Car Dealership & Classified Listings Plugin for WordPress. This flaw allows authenticated users, even those with subscriber-level access, to delete files on the server. The vulnerability impacts versions 1.0.0 through 1.4.107, and a patch is available in version 1.4.108.
Détecte cette CVE dans ton projet
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Impact et Scénarios d'Attaquetraduction en cours…
An attacker exploiting this vulnerability can delete critical system files, potentially leading to a complete compromise of the WordPress installation. This could include deleting configuration files, database connections, or even core WordPress files. The ability to delete arbitrary files grants significant control over the server, enabling attackers to disrupt operations, steal sensitive data, or install malicious code. While requiring authentication, the low privilege level needed (subscriber) expands the potential attack surface significantly, as many WordPress sites have numerous users with this access level.
Contexte d'Exploitationtraduction en cours…
This vulnerability was published on 2026-05-14. Currently, there are no known public exploits or active campaigns targeting this specific vulnerability. The ease of exploitation, combined with the widespread use of WordPress and the plugin, suggests it could become a target for opportunistic attackers. Monitor security advisories and threat intelligence feeds for any indications of exploitation.
Renseignement sur les Menaces
Statut de l'Exploit
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Faible — tout compte utilisateur valide est suffisant.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Aucun — aucun impact sur la confidentialité.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Élevé — panne complète ou épuisement des ressources. Déni de service total.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
Mitigation et Contournementstraduction en cours…
The primary mitigation is to immediately upgrade the Motors plugin to version 1.4.108 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting file upload permissions for users with subscriber roles. Implement a Web Application Firewall (WAF) rule to block requests containing suspicious file paths in the logo upload parameter. Regularly review user permissions and ensure the principle of least privilege is enforced. After upgrading, confirm the fix by attempting to upload a file with a deliberately invalid path and verifying that the upload fails with an appropriate error message.
Comment corriger
Mettre à jour vers la version 1.4.108, ou une version corrigée plus récente
Questions fréquentestraduction en cours…
What is CVE-2026-3892 — Arbitrary File Access in Motors Plugin?
CVE-2026-3892 is a HIGH severity vulnerability in the Motors plugin for WordPress, allowing authenticated users to delete arbitrary files on the server due to insufficient file path validation during logo uploads.
Am I affected by CVE-2026-3892 in Motors Plugin?
You are affected if your WordPress site uses the Motors plugin and is running version 1.0.0 through 1.4.107. Check your plugin version immediately.
How do I fix CVE-2026-3892 in Motors Plugin?
Upgrade the Motors plugin to version 1.4.108 or later to resolve the vulnerability. If immediate upgrade is not possible, restrict file upload permissions for subscriber roles and implement WAF rules.
Is CVE-2026-3892 being actively exploited?
As of the publication date, there are no known public exploits or active campaigns targeting CVE-2026-3892, but the vulnerability's ease of exploitation makes it a potential target.
Where can I find the official Motors plugin advisory for CVE-2026-3892?
Refer to the official Motors plugin website or WordPress plugin repository for the latest advisory and update information regarding CVE-2026-3892.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Détecte cette CVE dans ton projet
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Scannez votre projet WordPress maintenant — sans compte
scanZone.subtitle
Glissez-déposez votre fichier de dépendances
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...