A critical-severity vulnerability (CVE-2025-4322) was discovered in the popular Motors theme for WordPress, affecting all versions up to and including 5.6.67. This flaw allowed unauthenticated attackers to escalate privileges by resetting passwords for any user, including administrators, resulting in full site takeover.
Timeline of Disclosure and Exploitation
The vulnerability was reported in early May 2025 and publicly disclosed by Wordfence on May 20, 2025. A patch (version 5.6.68) was released by the theme developer, StylemixThemes, on May 14, 2025. Despite the patch, mass exploitation did not begin immediately. Instead, widespread attacks started several weeks after the public disclosure, as attackers leveraged proof-of-concept (PoC) code and automated tools to target vulnerable sites.
Nature and Impact of Exploitation
The vulnerability stemmed from improper validation of user identity during password updates, enabling attackers to change any account’s password, including those with administrator privileges. • Once an attacker gained administrative access, they could:
• Inject malicious scripts
• Steal user data
• Redirect visitors to malicious sites
• Install backdoors
• Modify download links to distribute malware
Over 22,000 WordPress sites using the Motors theme were at risk, with many actively targeted once mass exploitation began.
Contributing Factors to Delayed Mass Exploitation
The delay in mass exploitation, compared to immediate attacks seen with some plugin vulnerabilities, may be attributed to:
• The theme’s premium status (less ubiquitous than free plugins)
• The time required for attackers to weaponize PoC code and scale automated attacks
• Once exploits became widely available, attackers rapidly compromised unpatched sites.
Mitigation and Recommendations
• Users are strongly advised to update to Motors version 5.6.68 or later immediately, as themes cannot be easily disabled or swapped like plugins.
