[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f8oVJAe5FdV4vvk9W8xzuYsDBRCYPHHQ5YpJSPxDhFck":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-3892","motors-car-dealer-classifieds-listing-authenticated-subscriber-arbitrary-file-deletion-via-stmdealerlogopath-parameter","Motors – Car Dealer, Classifieds & Listing \u003C= 1.4.107 - Authenticated (Subscriber+) Arbitrary File Deletion via 'stm_dealer_logo_path' Parameter","The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.4.107. This is due to insufficient file path validation in the become-dealer logo upload flow. The plugin allows any authenticated user to set an arbitrary filesystem path via the profile update handler. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary files on the server.","motors-car-dealership-classified-listings",null,"\u003C=1.4.107","1.4.108","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:H","External Control of File Name or Path","2026-05-13 18:03:27","2026-05-14 06:44:10",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F52cbc6a4-9825-4b26-8653-0c75cf5247c5?source=api-prod",1,[22,23,24,25,26,27,28,29],"includes\u002Fadmin\u002Fpage_generator\u002Fjs\u002Fpage_generator.js","includes\u002Fhelpers.php","includes\u002Fnuxy\u002Fcustom-fields\u002Fjs_components\u002Fnuxy-radio.js","includes\u002Fstarter-theme\u002Fdashboard\u002Fwizard\u002Fincludes\u002Ffunctions.php","includes\u002Fuser-extra.php","readme.txt","stm_vehicles_listing.php","templates\u002Fuser\u002Fprivate\u002Fbecome-dealer.php","researched",false,3,"This research plan outlines the steps required to demonstrate the arbitrary file deletion vulnerability in the **Motors – Car Dealership & Classified Listings** plugin (CVE-2026-3892).\n\n### 1. Vulnerability Summary\nThe Motors plugin fails to validate the `stm_dealer_logo_path` parameter when updating a user's profile meta. An authenticated attacker with Subscriber-level privileges can set this meta field to an arbitrary filesystem path (e.g., `wp-config.php`). When the attacker subsequently triggers a logo update or deletion via the \"Become Dealer\" flow, the plugin's logic attempts to \"clean up\" the previous logo by calling `unlink()` on the path stored in the `stm_dealer_logo_path` meta, resulting in the deletion of the target file.\n\n### 2. Attack Vector Analysis\n- **Vulnerable Parameter:** `stm_dealer_logo_path`\n- **Injection Point:** User Profile Update (`wp-admin\u002Fprofile.php` or a frontend equivalent).\n- **Trigger Point:** The \"Become Dealer\" submission handler (`templates\u002Fuser\u002Fprivate\u002Fbecome-dealer.php`).\n- **Authentication Level:** Subscriber or higher.\n- **Preconditions:** The attacker must be able to update their own user meta and then access the dealer registration form.\n\n### 3. Code Flow\n1.  **Injection Phase:**\n    - The plugin registers fields in `includes\u002Fuser-extra.php` using hooks like `show_user_profile`. \n    - While the snippet shows `stm_user_avatar_path`, the vulnerability exists in the handling of `stm_dealer_logo_path`.\n    - When a user updates their profile, the plugin (via truncated logic) saves POST parameters starting with `stm_` directly to user meta without path validation.\n2.  **Trigger Phase:**\n    - The attacker navigates to the \"Become Dealer\" page (handled by `templates\u002Fuser\u002Fprivate\u002Fbecome-dealer.php`).\n    - The attacker submits the form with a new `stm-avatar` file upload.\n    - **SINK:** Inside the file upload handler (referenced around line 141), the plugin retrieves the existing path from the `stm_dealer_logo_path` user meta.\n    - **EXECUTION:** The plugin calls `unlink($old_path)` to remove the previous logo before saving the new one. Because `$old_path` is controlled by the attacker, any file can be deleted.\n\n### 4. Nonce Acquisition Strategy\nThis vulnerability involves two steps: updating profile meta and triggering the deletion.\n\n#### Phase 1: Profile Update (Admin Context)\nTo update the profile meta via the standard WordPress admin panel:\n1.  **Action:** `update-user_{ID}`\n2.  **Nonce Key:** `_wpnonce`\n3.  **Acquisition:**\n    - Navigate to `wp-admin\u002Fprofile.php`.\n    - Use `browser_eval` to extract the nonce from the form: `document.querySelector('#your-profile input[name=\"_wpnonce\"]').value`.\n\n#### Phase 2: Dealer Registration (Frontend Context)\nIf the deletion is triggered via the frontend \"Become Dealer\" form:\n1.  The template `become-dealer.php` does not appear to use a dedicated nonce for the file upload (it relies on `is_user_logged_in()`).\n2.  If a nonce is required, it is likely localized as part of the theme\u002Fplugin's frontend scripts.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Preparation\n- Create a Subscriber user.\n- Create a \"canary\" file to delete: `\u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002Fcanary.php`.\n\n#### Step 2: Path Injection\nInject the target file path into the user's meta.\n- **Request Type:** POST\n- **URL:** `\u002Fwp-admin\u002Fprofile.php`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Payload:**\n  ```text\n  _wpnonce=[NONCE]&action=update&user_id=[ID]&stm_dealer_logo_path=\u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002Fcanary.php&email=[USER_EMAIL]...\n  ```\n  *(Note: Include other required fields like email and nicknames to satisfy WordPress profile update requirements).*\n\n#### Step 3: Trigger Deletion\nSubmit the \"Become Dealer\" form with a dummy image to trigger the cleanup logic.\n- **Request Type:** POST (Multipart Form Data)\n- **URL:** The URL of the page using the `become-dealer.php` template (e.g., `\u002Fbecome-dealer\u002F` or `\u002Faccount\u002Fbecome-dealer\u002F`).\n- **Payload:**\n  - `stm_company_name`: `Test Dealer`\n  - `stm_licence`: `12345`\n  - `stm_location`: `London`\n  - `stm-avatar`: (A valid small `.png` or `.jpg` file)\n  - Other required fields as defined in `required_fields` (line 74 of `become-dealer.php`).\n\n### 6. Test Data Setup\n1.  **Canary File:** `echo \"\u003C?php \u002F\u002F canary ?>\" > \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002Fcanary.php`\n2.  **User:** Create a subscriber user `attacker`.\n3.  **Page Setup:** Ensure a page exists with the \"Become Dealer\" functionality. This might require setting the page template to `become-dealer` via WP-CLI:\n    ```bash\n    wp post create --post_type=page --post_title=\"Become Dealer\" --post_status=publish --post_content=\"[stm_become_dealer]\"\n    ```\n    *(Note: Verify the exact shortcode or template name in the plugin settings or files).*\n\n### 7. Expected Results\n1.  The profile update request (Step 2) succeeds, and the database now stores the path to `canary.php` in the `attacker`'s user meta.\n2.  The \"Become Dealer\" request (Step 3) processes the file upload.\n3.  The plugin identifies the \"old\" logo path from meta and unlinks it.\n4.  The file `\u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002Fcanary.php` is deleted from the filesystem.\n\n### 8. Verification Steps\nAfter the HTTP requests, use WP-CLI to verify the deletion:\n```bash\n# Check if the file still exists\nls \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002Fcanary.php\n\n# Check the user meta to see the new path (optional)\nwp user meta get [ID] stm_dealer_logo_path\n```\n\n### 9. Alternative Approaches\nIf `stm_dealer_logo_path` is not directly editable via `profile.php`, check for an AJAX handler that updates dealer settings:\n- **Action:** `stm_ajax_update_user` or `stm_ajax_save_settings`.\n- If the plugin uses a frontend dashboard, the meta might be updated via a POST to the profile dashboard page with the same parameter name.\n- **Target File:** If successful with the canary, the same method can target `wp-config.php`, leading to a site-wide Denial of Service or allowing for a fresh reinstall.","The Motors – Car Dealership & Classified Listings plugin for WordPress is vulnerable to authenticated arbitrary file deletion due to insufficient path validation in the 'Become Dealer' logo upload flow. An attacker with subscriber-level access can set a target filesystem path in their user metadata and then trigger a file deletion by performing a logo update, which executes an unvalidated unlink() call on the stored path.","\u002F\u002F includes\u002Fuser-extra.php around line 145\n\u002F\u002F The plugin exposes raw path fields in the user profile which are saved to user meta.\n\u003Cinput type=\"text\" name=\"stm_user_avatar_path\" id=\"stm_user_avatar_path\"\n    value=\"\u003C?php echo esc_attr( get_the_author_meta( 'stm_user_avatar_path', $user->ID ) ); ?>\"\n    class=\"regular-text\"\u002F>\n\n---\n\n\u002F\u002F templates\u002Fuser\u002Fprivate\u002Fbecome-dealer.php (logic starting around line 141)\n\u002F\u002F When a new logo is uploaded via the Become Dealer form, the plugin cleans up the old logo.\n$file = $_FILES['stm-avatar'];\nif ( is_array( $file ) && ! empty( $file['name'] ) ) {\n    \u002F\u002F ... logic to handle upload ...\n    \u002F\u002F The plugin retrieves the 'old' path from user meta (e.g., stm_dealer_logo_path)\n    \u002F\u002F SINK: The plugin calls unlink($old_path) without verifying it is within an allowed directory.\n    unlink($old_path); \n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmotors-car-dealership-classified-listings\u002F1.4.107\u002Fincludes\u002Fhelpers.php\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmotors-car-dealership-classified-listings\u002F1.4.108\u002Fincludes\u002Fhelpers.php\n@@ -1305,6 +1305,33 @@\n \tadd_filter( 'motors_vl_dealer_logo_placeholder', 'motors_vl_dealer_logo_placeholder' );\n }\n \n+if ( ! function_exists( 'stm_mvl_is_path_within_uploads' ) ) {\n+\tfunction stm_mvl_is_path_within_uploads( $path ) {\n+\t\tif ( ! is_string( $path ) || '' === trim( $path ) ) {\n+\t\t\treturn true;\n+\t\t}\n+\t\t$path = trim( $path );\n+\t\t$dir  = wp_upload_dir();\n+\t\tif ( ! empty( $dir['error'] ) ) {\n+\t\t\treturn false;\n+\t\t}\n+\t\t$upload_basedir = $dir['basedir'];\n+\t\t$real_upload    = realpath( $upload_basedir );\n+\t\t$real_path      = realpath( $path );\n+\t\tif ( false === $real_upload || false === $real_path ) {\n+\t\t\treturn false;\n+\t\t}\n+\t\treturn 0 === strpos( $real_path . DIRECTORY_SEPARATOR, $real_upload . DIRECTORY_SEPARATOR );\n+\t}\n+}\n+\n+if ( ! function_exists( 'stm_mvl_filter_path_within_uploads' ) ) {\n+\tfunction stm_mvl_filter_path_within_uploads( $default, $path ) {\n+\t\treturn stm_mvl_is_path_within_uploads( $path );\n+\t}\n+\tadd_filter( 'stm_mvl_is_path_within_uploads', 'stm_mvl_filter_path_within_uploads', 10, 2 );\n+}\n+","1. Login as an authenticated user (Subscriber or higher).\n2. Inject the target file path into the user's metadata (e.g., 'stm_dealer_logo_path') by submitting a POST request to \u002Fwp-admin\u002Fprofile.php with the 'stm_dealer_logo_path' parameter set to the absolute path of the file you wish to delete (e.g., \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-config.php).\n3. Navigate to the 'Become Dealer' registration page.\n4. Submit the 'Become Dealer' form and include an image file upload for the dealer logo ('stm-avatar').\n5. The plugin's submission handler identifies that a 'previous' logo path exists in the user's meta and attempts to delete it using unlink(). Because the path is attacker-controlled, the target file is deleted from the server.","gemini-3-flash-preview","2026-05-14 17:08:30","2026-05-14 17:09:57",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.4.107","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmotors-car-dealership-classified-listings\u002Ftags\u002F1.4.107","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmotors-car-dealership-classified-listings.1.4.107.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmotors-car-dealership-classified-listings\u002Ftags\u002F1.4.108","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmotors-car-dealership-classified-listings.1.4.108.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmotors-car-dealership-classified-listings\u002Ftags"]