CVE-2025-4322
published 2025-05-20CVE-2025-4322: The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
18.24%
96.9th percentile
The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.
Detection & IOCsextracted from sources · hover to see the quote
commandPOST {{paths}}/?user_id=1&hash_check=%25C0 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
stm_new_password={{password}}
path/wp-content/themes/motors/style.css
yara
contains_all(body, "Enter new password","stm-validation-message")
sigma↗
WordPress Motors Theme Privilege Escalation (CVE-2025-4322)
- →Probe for the Motors theme Login Register widget by sending specially crafted POST requests with an invalid UTF-8 'hash_check' parameter (%C0) to common login/account paths such as /login-register, /account, /reset-password, /signin. ↗
- →Detect POST requests containing 'hash_check=%25C0' (or raw %C0 invalid UTF-8) combined with 'stm_new_password' in the body targeting WordPress sites running the Motors theme. ↗
- →Alert on POST requests with query parameter 'user_id=1' alongside 'hash_check' containing invalid UTF-8 bytes, as attackers target user ID 1 (default WordPress admin).
- →Monitor for sudden appearance of new WordPress administrator accounts or existing administrators being locked out (passwords no longer working) as indicators of successful exploitation. ↗
- →Flag HTTP responses returning status 200 with body containing both 'Enter new password' and 'stm-validation-message' strings, which indicate a successful password reset page hit on a vulnerable Motors theme installation.
- →Identify Motors theme installations by scanning for the fingerprint string '/wp-content/themes/motors/style.css' in page bodies.
- →Known attacker-set passwords observed in active exploitation campaigns include: Testtest123!@#, rzkkd$SP3znjrn, Kurd@Kurd12123, owm9cpXHAZTk, db250WJUNEiG — monitor authentication logs for these values. ↗
- ·The exploit targets the 'updatePassword()' function within the Motors theme's 'Login Register' widget. The widget must be present and accessible on the site for exploitation to succeed; sites not using this widget are not directly vulnerable via this attack path. ↗
- ·The vulnerability affects all Motors theme versions up to and including 5.6.67; version 5.6.68 contains the fix. Detection rules targeting version strings should flag anything <= 5.6.67. ↗
- ·Wordfence reported blocking 23,100 exploitation attempts against its customers by June 7, 2025, indicating wide-scale automated scanning; high-volume POST traffic to login/account paths should be treated as suspicious. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5xrp-299q-mxxj: The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5
ghsa_unreviewed·2025-05-20
CVE-2025-4322 [CRITICAL] CWE-620 GHSA-5xrp-299q-mxxj: The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5
The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.
VulnCheck
Unverified Password Change
vulncheck·2025·CVSS 9.8
CVE-2025-4322 [CRITICAL] Unverified Password Change
Unverified Password Change
The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.
Affected: StylemixThemes Motors - Car Dealer, Rental & Listing WordPress Theme
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/wordpress/theme/motors/vulnerability/wordpress-motors-plugin-5-6-
No detection rules found.
Nuclei
Motors <= 5.6.67 - Unauthenticated Privilege Escalation via Password Update/Account Takeover
nuclei·CVSS 9.8
CVE-2025-4322 [CRITICAL] Motors <= 5.6.67 - Unauthenticated Privilege Escalation via Password Update/Account Takeover
Motors <= 5.6.67 - Unauthenticated Privilege Escalation via Password Update/Account Takeover
The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.
Template:
id: CVE-2025-4322
info:
name: Motors <= 5.6.67 - Unauthenticated Privilege Escalation via Password Update/Account Takeover
author: DhiyaneshDK
severity: critical
description: |
The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all version
Bleepingcomputer
WordPress Motors theme flaw mass-exploited to hijack admin accounts
blogs_bleepingcomputer·2025-06-21·CVSS 9.8
CVE-2025-4322 [CRITICAL] WordPress Motors theme flaw mass-exploited to hijack admin accounts
## WordPress Motors theme flaw mass-exploited to hijack admin accounts
## Bill Toulas
Hackers are exploiting a critical privilege escalation vulnerability in the WordPress theme "Motors" to hijack administrator accounts and gain complete control of a targeted site.
The malicious activity was spotted by Wordfence, which had warned last month about the severity of the flaw, tracked under CVE-2025-4322, urging users to upgrade immediately.
Motors, developed by StylemixThemes, is a WordPress theme popular among automotive-related websites. It has 22,460 sales on the EnvatoMarket and is backed by an active community of users.
The privilege escalation vulnerability was discovered on May 2, 2025, and first reported by Wordfence on May 19, impacting all versions before and including 5.6.67.
Checkpoint
26th May – Threat Intelligence Report
blogs_checkpoint·2025-05-26
CVE-2025-4918 26th May – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 26th May – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 26th May, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Cellcom, a Wisconsin-based wireless provider, has been impacted by a cyberattack that resulted in widespread outages of voice and SMS services beginning on May 14, 2025. The incident disrupted communication for customers across Wisconsin and Upper Michigan, leaving them unable to make phone calls or send text messages. No threat
Bleepingcomputer
Premium WordPress 'Motors' theme vulnerable to admin takeover attacks
blogs_bleepingcomputer·2025-05-20·CVSS 9.8
[CRITICAL] Premium WordPress 'Motors' theme vulnerable to admin takeover attacks
## Premium WordPress 'Motors' theme vulnerable to admin takeover attacks
## Bill Toulas
A critical privilege escalation vulnerability has been discovered in the premium WordPress theme Motors, which allows unauthenticated attackers to hijack administrator accounts and take complete control of websites.
Developed by StylemixThemes, Motors is one of the top-selling automotive themes for the WordPress platform. It is very popular among automotive businesses such as car dealerships, rental services, and used vehicle listing platforms.
It has over 22,300 sales on the Envato market , with hundreds of user reviews and thousands of comments, indicating a highly active community around it.
The flaw, tracked as CVE-2025-4322, was publicly disclosed by Wordfence earlier today and added to the Na
2025-05-20
Published
Exploited in the wild