A vital privilege escalation vulnerability has been found within the premium WordPress theme Motors, which permits unauthenticated attackers to hijack administrator accounts and take full management of internet sites.
Developed by StylemixThemes, Motors is without doubt one of the top-selling automotive themes for the WordPress platform. It is rather fashionable amongst automotive companies resembling automobile dealerships, rental companies, and used car itemizing platforms.
It has over 22,300 gross sales on the Envato market, with a whole bunch of consumer opinions and 1000’s of feedback, indicating a extremely energetic group round it.
The flaw, tracked as CVE-2025-4322, was publicly disclosed by Wordfence earlier right now and added to the Nationwide Vulnerability Database (NVD).
It’s a privilege escalation drawback impacting all variations of the Motors theme as much as and together with 5.6.67.
“This (vulnerability) is because of the theme not correctly validating a consumer’s id previous to updating their password,” explains Wordfence.
“This makes it attainable for unauthenticated attackers to alter arbitrary consumer passwords, together with these of directors, and leverage that to realize entry to their account.”
By gaining admin-level entry, attackers might implant malware, exfiltrate database contents and delicate member particulars, or redirect guests to harmful websites.
StylemixThemes launched Motors model 5.6.68, which addresses CVE-2025-4322 on Might 14, 2025.
WordPress themes are central to web sites and can’t be briefly disabled or simply changed, so upgrading to the newest model as quickly as attainable is vital.
The seller has an in depth on-line information on updating Motors through the WordPress panel, the Envato API, or manually through FTP.
You will need to again up your web site earlier than updating theme parts to forestall potential information loss.
Though the problem does not impression a WordPress plugin energetic in tens of millions of internet sites, it nonetheless constitutes a major threat.
Given the worth of $79 for an everyday license and $2,000 for an prolonged license, Motors is extra more likely to be deployed in energetic websites or for these working companies.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and learn how to defend in opposition to them.
