A severe security vulnerability has been identified in the premium WordPress theme Motors, potentially allowing unauthenticated attackers to hijack administrator accounts and seize full control of affected websites.
CVE-2025-4322
The vulnerability, tracked as CVE-2025-4322, was publicly disclosed today by security firm Wordfence and has been assigned a CVSS severity rating of 9.8, classifying it as critical. The vulnerability affects all versions of the theme up to and including v5.6.67.
According to Wordfence, the vulnerability(CVE-2025-4322) stems from the theme’s failure to properly verify a user’s identity when updating passwords. This oversight enables attackers to change the password of any account, including those with administrator privileges.
Once admin access is obtained, malicious actors can install malware, extract sensitive user data, or redirect site visitors to harmful domains.
Potential Impact of CVE-2025-4322
Developed by StylemixThemes, Motors is a top-selling automotive WordPress theme widely used by car dealerships, rental services, and used vehicle listing platforms. With over 22,300 sales on the Envato Market, the theme supports a large and active community of users.
While the vulnerability does not affect a plugin installed on millions of sites, its presence in a paid theme , priced at $79for a regular license and $2,000 for an extended license — means that it likely affects high-traffic or business-critical websites.
Mitigation of CVE-2025-4322
StylemixThemes released version 5.6.68 of Motors on May 14, 2025, patching the vulnerability. Users are strongly urged to update to the latest version immediately, as WordPress themes are integral to site functionality and not easily disabled or replaced.
The vendor has published detailed instructions for updating the theme via the WordPress dashboard, Envato API, or manual FTP upload. Users are also advised to back up their sites prior to updating to avoid potential data loss.
Website administrators using Motors are urged to act quickly to secure their installations and prevent potential exploitation.
Source: hxxps[://]www[.]wordfence[.]com/threat-intel/vulnerabilities/wordpress-themes/motors/motors-5667-unauthenticated-privilege-escalation-via-password-updateaccount-takeover
Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
