Critical Vulnerability Discovered in Premium WordPress ‘Motors’ Theme Allows Potential Admin Takeover

A serious privilege escalation vulnerability has been identified in the premium WordPress theme Motors, enabling unauthenticated attackers to take over administrator accounts and gain complete control of websites.

Motors, developed by StylemixThemes, is a widely acclaimed automotive theme utilized by various automotive enterprises, including car dealerships, rental services, and vehicle listing platforms. With over 22,300 sales on the Envato Market and a significant community presence manifested by numerous user reviews and comments, it is among the top-selling themes in its category.

The vulnerability, designated as CVE-2025-4322, was recently disclosed by Wordfence and has been cataloged in the National Vulnerability Database. This issue affects all versions of the Motors theme up to and including 5.6.67.

The root of this vulnerability lies in the theme’s failure to adequately verify a user’s identity before allowing password updates. This oversight permits unauthenticated attackers to alter the passwords of arbitrary users, including administrators, thereby facilitating unauthorized access.

Once an attacker secures administrator-level access, the potential consequences include the deployment of malware, data exfiltration of sensitive member information, and the redirection of visitors to harmful websites.

In response to this critical vulnerability, StylemixThemes released an updated version, 5.6.68, on May 14, 2025, addressing CVE-2025-4322.

Given the fundamental role of WordPress themes in website functionality, it is crucial that users of the Motors theme upgrade to the latest version promptly. The vendor has provided a thorough online guide detailing the update process, including methods for updating through the WordPress panel, the Envato API, or manually via FTP.

It is advisable to back up websites prior to any theme updates to mitigate the risk of potential data loss. While this issue does not affect a WordPress plugin currently in widespread use, it remains a significant security concern.

Considering the pricing of $79 for a standard license and $2,000 for an extended license, the Motors theme is predominantly deployed on active websites, especially those associated with commercial operations.