Hackers are exploiting a crucial privilege escalation vulnerability within the WordPress theme “Motors” to hijack administrator accounts and achieve full management of a focused web site.
The malicious exercise was noticed by Wordfence, which had warned final month concerning the severity of the flaw, tracked underneath CVE-2025-4322, urging customers to improve instantly.
Motors, developed by StylemixThemes, is a WordPress theme standard amongst automotive-related web sites. It has 22,460 gross sales on the EnvatoMarket and is backed by an lively group of customers.
The privilege escalation vulnerability was found on Might 2, 2025, and first reported by Wordfence on Might 19, impacting all variations earlier than and together with 5.6.67.
The flaw arises from an improper consumer id validation throughout password updating, permitting unauthenticated attackers to vary administrator passwords at will.
StylemixThemes launched Motors model 5.6.68, which addresses CVE-2025-4322, on Might 14, 2025, however many customers failed to use the replace by Wordfence’s disclosure and received uncovered to elevated exploitation threat.
As Wordfence confirms in a brand new writeup, the assaults started on Might 20, solely a day after they publicly disclosed the small print. Broad-scale assaults have been noticed by June 7, 2025, with Wordfence reporting blocking 23,100 makes an attempt in opposition to its clients.
.jpg)
Supply: Wordfence
Attack course of and indicators of breach
The vulnerability is within the Motors theme’s “Login Register” widget, together with password restoration performance.
The attacker first locates the URL the place this widget is positioned by probing /login-register, /account, /reset-password, /signin, and so forth., with specifically crafted POST requests till they get a success.
The request comprises invalid UTF-8 characters in a malicious ‘hash_check’ worth, inflicting the hash comparability within the password reset logic to succeed incorrectly.
The POST physique comprises a ‘stm_new_password’ worth that resets the consumer password, concentrating on consumer IDs that sometimes correspond to administrator customers.
Supply: Wordfence
Attacker-set passwords noticed within the assaults to date embody:
- Testtest123!@#
- rzkkd$SP3znjrn
- Kurd@Kurd12123
- owm9cpXHAZTk
- db250WJUNEiG
As soon as entry is gained, the attackers log into the WordPress dashboard as directors and create new admin accounts for persistence.
The sudden look of such accounts mixed with current directors being locked out (passwords not working) are indicators of CVE-2025-4322 exploitation.
Wordfence has additionally listed a number of IP addresses that launch these assaults within the report, which WordPress web site house owners are really helpful to placed on their block checklist.
Patching used to imply advanced scripts, lengthy hours, and infinite fireplace drills. Not anymore.
On this new information, Tines breaks down how trendy IT orgs are leveling up with automation. Patch quicker, cut back overhead, and concentrate on strategic work — no advanced scripts required.
