A critical vulnerability has been uncovered in the widely used Motors WordPress theme, enabling unauthenticated attackers to escalate privileges and gain full administrative control over compromised websites.
Motors, developed by StylemixThemes, is a leading theme designed for automotive businesses, including dealerships and rental services, with over 22,000 sales on the Envato marketplace.
Security firm Wordfence identified the flaw, registered as CVE-2025-4322, affecting all versions of the theme up to and including the latest 5.6.67 release. The vulnerability stems from inadequate authentication during the password update process, allowing any user account—including administrator accounts—to change passwords without proper verification.
Attackers exploiting this weakness can inject malware, access or leak sensitive database information, and redirect site visitors to malicious destinations.
Comprehensive guidance for securely updating the Motors theme via the WordPress dashboard, Envato API, or manual FTP methods has been made available online.
Given Motors’ significant role in automotive-related online platforms and its relatively high licensing fees—ranging from $79 for the standard version to $2,000 for the extended edition—this vulnerability presents a serious risk to organizations dependent on continuous online operations.
In addition, a newly observed “double-click” attack technique this year allows cybercriminals to hijack accounts with minimal user interaction, using OAuth authorization dialogs or account confirmation pages embedded with hidden malicious elements.
Website administrators using the Motors theme are strongly advised to apply updates immediately and thoroughly review their site’s security settings to reduce potential threats.
Related Topics
- Motors WordPress Theme Has Critical Admin Takeover Vulnerability
- Hostinger Offers Huge Discount on 4 Year WordPress Hosting Plan
- Duo Releases New WordPress Plugin for Universal Prompt 2FA Upgrade
