A severe security flaw has been discovered in the popular premium WordPress theme Motors, enabling unauthenticated attackers to hijack administrator accounts and gain full control of affected websites.
Developed by StylemixThemes, the Motors theme is widely used in the automotive sector, powering websites for car dealerships, rental services, and used vehicle listings. With over 22,300 sales on the Envato Market and an active user community, the theme’s vulnerability poses a significant risk.
Tracked as CVE-2025-4322, the privilege escalation vulnerability affects all versions up to and including 5.6.67. The flaw stems from improper validation of user identity during password updates, allowing attackers to change any user’s password, including administrators, without authentication.
By exploiting this vulnerability, attackers can implant malware, steal sensitive database information, and redirect visitors to malicious sites. StylemixThemes addressed the issue with the release of Motors version 5.6.68 on May 14, 2025.
Because WordPress themes are essential components that cannot be easily disabled or replaced, immediate updating to the latest version is crucial. StylemixThemes provides a detailed guide for updating Motors through the WordPress dashboard, the Envato API, or manually via FTP. Users are advised to back up their websites before proceeding with the update to avoid data loss.
Though not as widespread as some WordPress plugins, the Motors theme is typically used on active business sites, increasing the potential impact of this security flaw.
Related Topics
- How to Find Wordpress Admin URL from Database
- Fake WordPress Security Plugin Grants Attackers Remote Access
- Phishing Campaign Targets WordPress Users with Fake CVE Alert
