WordPress Plugin Arbitrary File Deletion via Path Traversal

The Motors – Car Dealership & Classified Listings Plugin for WordPress contains a critical arbitrary file deletion vulnerability (CVE-2026-3892, CVSS 8.1) affecting all versions up to 1.4.107. The vulnerability exists in the become-dealer logo upload functionality, where insufficient file path validation allows authenticated users with subscriber-level privileges to specify arbitrary filesystem paths during profile updates. This means an attacker with basic account access can craft malicious requests to delete critical files on the web server, potentially removing application files, configuration files, or other sensitive data necessary for site operation. The vulnerability is particularly dangerous because it requires only low-privilege authentication and can lead to complete site compromise, data loss, or denial of service.

While this CVE currently maps to CWE-73 (External Control of File Name or Path) and has no direct MITRE ATT&CK technique mapping, Casky's security skills—powered by Claude AI's extended reasoning—would identify related attack patterns such as Defense Evasion (T1070 - Indicator Removal on Host), Impact (T1531 - Account Access Removal, T1485 - Data Destruction), and Lateral Movement techniques involving file system manipulation. Practitioners using Casky would observe detection findings revealing suspicious profile update requests containing path traversal sequences (../, absolute paths), unauthorized file deletion attempts in server logs, and unexpected modifications to the become-dealer upload handler parameters. The platform's 754 mapped skills enable practitioners to correlate these file deletion patterns with account activity timelines, identify which authenticated sessions performed deletions, and trace the attack back to specific user accounts for incident response and forensic investigation.