Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security

Flawed WordPress theme may allow admin account takeover on 22,000+ sites (CVE-2025-4322)

A critical vulnerability (CVE-2025-4322) in Motors, a WordPress theme popular with car/motor dealerships and rental services, can be easily exploited by unauthenticated attackers to take over admin accounts and gain full control over target WP-based sites.

The privileges thus acquired allow attackers to inject scripts that steal user data, make download links point to malware, redirect visitors to malicious sites, install a backdoor, or steal data saved in the underlying database.

CVE-2025-4322 Motors

About CVE-2025-4322

Motors is a paid WordPress theme developed by StylemixThemes, made especially to cater to businesses involved in selling, renting out and repairing cars, motors, boats, and other personal transportation vehicles.

CVE-2025-4322 is an unauthenticated privilege escalation vulnerability that affects all versions of the Motors theme up to and including version 5.6.67.

“This [vulnerability] is due to the theme not properly validating a user’s identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account,” says WordPress security company Wordfence.

The vulnerability has been reported earlier this month by a bug hunter that goes by “Foxyyy” through Wordfence’s bug bounty program for WP plugins and themes. The makers of the Motors theme released a patched version on May 14.

Risk mitigation and remediation

Admins of WP sites using the Motors theme are advised to upgrade it to version 5.6.68 and review logs for evidence of unauthorized password changes and unauthorized access.

If they find any indication that the site has been compromised and/or modified, they should:

  • Temporarily disable public access to it.
  • Use security plugins or manually check the installation for new/unknown admin users, modified WP core files, unexpected plugins.
  • Reset all WP user passwords (especially those for admin accounts), database password(s), hosting account credentials, and invalidate old sessions.
  • Delete unauthorized accounts, remove suspicious plugins and files, replace tainted WordPress core files with clean ones from wordpress.org
  • Check for and remove scripts that attackers may have installed to ensure future access.
  • Harden their WP site.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

More about

Featured news

Resources

Don't miss