cbcvebase.
CVE-2025-4322
published 2025-05-20

CVE-2025-4322: The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
18.24%
96.9th percentile
The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.

Detection & IOCsextracted from sources · hover to see the quote

path/login-register
path/account
path/reset-password
commandPOST {{paths}}/?user_id=1&hash_check=%25C0 HTTP/1.1 Content-Type: application/x-www-form-urlencoded stm_new_password={{password}}
otherhash_check=%25C0
otherstm_new_password
path/wp-content/themes/motors/style.css
yara
contains_all(body, "Enter new password","stm-validation-message")
sigma
WordPress Motors Theme Privilege Escalation (CVE-2025-4322)
  • Probe for the Motors theme Login Register widget by sending specially crafted POST requests with an invalid UTF-8 'hash_check' parameter (%C0) to common login/account paths such as /login-register, /account, /reset-password, /signin.
  • Detect POST requests containing 'hash_check=%25C0' (or raw %C0 invalid UTF-8) combined with 'stm_new_password' in the body targeting WordPress sites running the Motors theme.
  • Alert on POST requests with query parameter 'user_id=1' alongside 'hash_check' containing invalid UTF-8 bytes, as attackers target user ID 1 (default WordPress admin).
  • Monitor for sudden appearance of new WordPress administrator accounts or existing administrators being locked out (passwords no longer working) as indicators of successful exploitation.
  • Flag HTTP responses returning status 200 with body containing both 'Enter new password' and 'stm-validation-message' strings, which indicate a successful password reset page hit on a vulnerable Motors theme installation.
  • Identify Motors theme installations by scanning for the fingerprint string '/wp-content/themes/motors/style.css' in page bodies.
  • Known attacker-set passwords observed in active exploitation campaigns include: Testtest123!@#, rzkkd$SP3znjrn, Kurd@Kurd12123, owm9cpXHAZTk, db250WJUNEiG — monitor authentication logs for these values.
  • ·The exploit targets the 'updatePassword()' function within the Motors theme's 'Login Register' widget. The widget must be present and accessible on the site for exploitation to succeed; sites not using this widget are not directly vulnerable via this attack path.
  • ·The vulnerability affects all Motors theme versions up to and including 5.6.67; version 5.6.68 contains the fix. Detection rules targeting version strings should flag anything <= 5.6.67.
  • ·Wordfence reported blocking 23,100 exploitation attempts against its customers by June 7, 2025, indicating wide-scale automated scanning; high-volume POST traffic to login/account paths should be treated as suspicious.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.