- The “ engines ” allowed the threats to take control of the administration accounts
- This allowed a complete takeover of the website
- The developers have published a corrective
Motors, a premium theme for WordPress, brought a vulnerability of the critical severity that allowed malicious actors to fully resume compromise websites.
Failure to climb the privilege, due to the theme, validating user identities before updating passwords, is now followed as CVE-2025-4322, and has a 9.8/10 (critical) gravity score.
Wordfency security researchers, who first spotted this bug, explained how threat actors could use it to “modify the passwords of arbitrary users, including those of administrators, and take advantage of them to access their account”.
Premium themes
Obviously, having access to an administration account grants malicious actors all kinds of privileges, including the complete takeover of the website. All versions up to 5.6.68 are affected. The update which addresses the defect was published on May 14, 2025. Since the themes are not as easy to suspend or exchange, such as plugins, users are advised to update their engines as soon as possible.
Motors is a WordPress theme for automobile dealers, designed for car dealerships, the classified list, car rental, boats, repair services and motorcycle dealers. It is developed by a company called stylemixthemes and, according to Bleeping Compomputeis one of the best -selling themes of the genre. On the Invato market, it sells $ 79 and has been sold more than 22,300 times.
WordPress is the number one website generator platform, feeding more than half of all websites on the Internet. This also makes it a major target for cybercriminals, but, as it is above all secure, pirates are looking for exploits in the themes and additional modules, which are used as a springboard for an additional compromise.
For example, in early March of this year, the news announced that the malicious JavaScript code was deployed in more than 1,000 WordPress websites, after compromise extras. Users are advised to keep only the additional modules they really use and keep them informed at any time.
Via Bleeping Compompute
