Newly Discovered WordPress Motors Theme Vulnerability Allows Admin Password Change

• A concerning privilege escalation flaw was discovered in the widely used Motors WordPress theme.
• The theme does not properly validate a user's identity prior to updating their password.
• Unauthenticated attackers could gain access to admin accounts via password update/account takeover.

A newly disclosed critical vulnerability in the widely used Motors WordPress theme enables unauthenticated attackers to escalate their privileges, ultimately achieving administrator access and full site control. 

Developed by StylemixThemes, the Motors theme is a top-selling solution for automotive businesses, including dealerships and rental platforms, with over 22,000 sales via Envato. 

According to Wordfence, the security firm that publicized the vulnerability, the CVE-2025-4322 flaw exists in all theme versions up to and including 5.6.67.

The core issue is improper identity validation during password updates, which permits autonomous password changes for any user account, including administrators.

Attackers exploiting this flaw could, in practice, compromise websites by implanting malware, accessing or exfiltrating sensitive database content, and potentially redirecting site visitors to malicious destinations. 

A detailed online guide on updating Motors via the WordPress panel, the Envato API, or manually via FTP is available. 

Given the business focus and relatively high license cost of Motors ($79 standard, $2,000 extended), the impact is of special concern to organizations that rely heavily on uninterrupted web operations.

This year, a new variation of ‘double-click’ attacks was seen compromising websites and taking over accounts with minimal user interaction, as an OAuth authorization dialog or account settings confirmation page that contains hidden harmful elements is displayed.