A vital privilege escalation vulnerability has been found within the premium WordPress theme Motors, which permits unauthenticated attackers to hijack administrator accounts and take full management of internet sites.
Developed by StylemixThemes, Motors is without doubt one of the top-selling automotive themes for the WordPress platform. It is extremely in style amongst automotive companies akin to automotive dealerships, rental providers, and used automobile itemizing platforms.
It has over 22,300 gross sales on the Envato market, with lots of of person critiques and 1000’s of feedback, indicating a extremely energetic group round it.
The flaw, tracked as CVE-2025-4322, was publicly disclosed by Wordfence earlier right now and added to the Nationwide Vulnerability Database (NVD).
It’s a privilege escalation drawback impacting all variations of the Motors theme as much as and together with 5.6.67.
“This (vulnerability) is because of the theme not correctly validating a person’s id previous to updating their password,” explains Wordfence.
“This makes it attainable for unauthenticated attackers to vary arbitrary person passwords, together with these of directors, and leverage that to realize entry to their account.”
By gaining admin-level entry, attackers might implant malware, exfiltrate database contents and delicate member particulars, or redirect guests to harmful websites.
StylemixThemes launched Motors model 5.6.68, which addresses CVE-2025-4322 on Could 14, 2025.
WordPress themes are central to web sites and can’t be briefly disabled or simply changed, so upgrading to the newest model as quickly as attainable is vital.
The seller has an in depth on-line information on updating Motors by way of the WordPress panel, the Envato API, or manually by way of FTP.
It is very important again up your web site earlier than updating theme parts to forestall potential information loss.
Though the difficulty would not impression a WordPress plugin energetic in hundreds of thousands of internet sites, it nonetheless constitutes a major threat.
Given the worth of $79 for an everyday license and $2,000 for an prolonged license, Motors is extra more likely to be deployed in energetic websites or for these working companies.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and find out how to defend in opposition to them.
