WordPress “Motors” Theme Critical Flaw (CVE-2025-4322, CVSS 9.8): Unauthenticated Account Takeover & Mass Exploitation Underway
A critical vulnerability discovered in the WordPress visual theme “Motors” has enabled hackers to seize administrative privileges en masse, granting them full control over compromised websites. Identified as CVE-2025-4322, the flaw represents a privilege escalation issue and was uncovered on May 2, 2025. The security team at Wordfence conducted the investigation and issued a public advisory on May 19, urging users to apply the patch without delay.
“Motors” is a commercial WordPress template developed by StylemixThemes. In WordPress terminology, a “theme” defines the site’s visual design, user interface layout, and display format, often incorporating additional functionality. Widely adopted among automotive-related platforms—from dealership websites to vehicle marketplaces—Motors has been downloaded more than 22,460 times via the EnvatoMarket marketplace.
The vulnerability affects all versions up to and including 5.6.68. A patch was released on May 14; however, many administrators had yet to update, and by May 20—just a day after public disclosure—exploitation attempts had already begun. As of June 7, Wordfence had recorded over 23,100 instances of active exploitation.
The root of the issue lies within the built-in “Login Register” widget, which manages authentication, registration, and password recovery. The vulnerability stems specifically from flawed logic in the password reset mechanism.
The attack begins with the identification of an active path to the login form—typically URLs such as /login-register, /account, /reset-password, or /signin. The attacker then initiates a series of POST requests containing deliberately malformed data, continuing until the server confirms the presence of the target endpoint.
Within the body of a successful request, a malicious value is passed to the ‘hash_check’ parameter, encoded with invalid UTF-8 characters. This triggers a failure in the hash validation process, mistakenly marking the request as legitimate and permitting a password reset.
The attacker then injects a new password into the ‘stm_new_password’ parameter and designates a user ID—commonly ID=1, corresponding to the original administrator account.
As a result, the hacker overrides the admin password, gains access to the site’s backend, and can create additional privileged accounts to maintain control.
Wordfence warns that telltale signs of compromise include unexpected lockouts of existing admin credentials and the appearance of unfamiliar accounts with elevated privileges—clear indicators of CVE-2025-4322 exploitation.
The report also lists IP addresses associated with the attacks, recommending that site owners temporarily block these sources at the web server level to mitigate automated intrusion attempts.
Researchers have identified specific credentials used by attackers during password injection:
- Testtest123!@#
- rzkkd$SP3znjrn
- Kurd@Kurd12123
- owm9cpXHAZTk
- db250WJUNEiG
The presence of any of these passwords in logs or the admin panel should prompt an immediate and thorough security review. All users of the Motors theme are strongly advised to update to version 5.6.68 without delay, audit the list of administrator accounts, and scrutinize activity logs for any signs of irregular behavior.
