Vulnerability that allows full admin takeover found in premium WordPress theme
- ‘Motors’ allowed threat actors to take over admin accounts
- This enabled full website takeover
- The developers released a fix
Motors, a premium theme for WordPress, was carrying a critical-severity vulnerability that allowed malicious actors to fully take over compromised websites.
The privilege escalation flaw, due to the theme improperly validating user identities before updating passwords, is now tracked as CVE-2025-4322, and has a severity score of 9.8/10 (critical).
Security researchers Wordfence, who first spotted this bug, explained how threat actors could use it to “change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.”
Premium themes
Obviously, having access to an admin account grants the malicious actors all kinds of privileges, including complete website takeover. All versions up to 5.6.68 are affected. The update that addresses the flaw was released on May 14, 2025. Since themes are not as simple to suspend, or swap, as plugins, users are advised to update their Motors as soon as possible.
Motors is a car dealer WordPress theme, designed for auto dealers, classified listing, auto rental, boats, repair services, and motorcycle dealers. It is developed by a company called StylemixThemes and, according to BleepingComputer, is one of the top-selling themes of its kind. On the Envato market, it is selling for $79 and has been sold more than 22,300 times.
WordPress is the world’s number one website builder platform, powering more than half of all websites on the internet. This also makes it a major target for cybercriminals but, since it’s mostly secure, hackers are looking for exploits in themes and add-ons, which are used as stepping stones for further compromise.
For example, in early March this year, news broke that malicious JavaScript code was deployed into more than 1,000 WordPress websites, following compromised extras. Users are advised to only keep the add-ons they are actually using, and to keep them updated at all times.
Via BleepingComputer
You might also like
‘Motors’ allowed threat actors to take over admin accounts This enabled full website takeover The developers released a fix Motors, a premium theme for WordPress, was carrying a critical-severity vulnerability that allowed malicious actors to fully take over compromised websites. The privilege escalation flaw, due to the theme improperly validating…
