Vulnerability that allows full admin takeover found in premium WordPress theme

• 'Motors' allowed threat actors to take over admin accounts
• This enabled full website takeover
• The developers released a fix

Motors, a premium theme for WordPress, was carrying a critical-severity vulnerability that allowed malicious actors to fully take over compromised websites.

The privilege escalation flaw, due to the theme improperly validating user identities before updating passwords, is now tracked as CVE-2025-4322, and has a severity score of 9.8/10 (critical).

Security researchers Wordfence, who first spotted this bug, explained how threat actors could use it to “change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account."

TechRadar Pro readers can get 60% off Premium Plans at RoboForm now!

New users can take advantage of RoboForm’s exclusive deal and get 60% off the Premium Plan. With this deal, you can get unlimited password storage, one-click login & autofill, password sharing, two-factor authentication for added protection, cloud backup, and emergency access for trusted contacts. To claim this deal, visit this link and sign up for the Premium Plan to lock in this huge discount.

Preferred partner (What does this mean?)

View Deal

Premium themes

Obviously, having access to an admin account grants the malicious actors all kinds of privileges, including complete website takeover. All versions up to 5.6.68 are affected. The update that addresses the flaw was released on May 14, 2025. Since themes are not as simple to suspend, or swap, as plugins, users are advised to update their Motors as soon as possible.

Motors is a car dealer WordPress theme, designed for auto dealers, classified listing, auto rental, boats, repair services, and motorcycle dealers. It is developed by a company called StylemixThemes and, according to BleepingComputer, is one of the top-selling themes of its kind. On the Envato market, it is selling for $79 and has been sold more than 22,300 times.

WordPress is the world’s number one website builder platform, powering more than half of all websites on the internet. This also makes it a major target for cybercriminals but, since it’s mostly secure, hackers are looking for exploits in themes and add-ons, which are used as stepping stones for further compromise.

For example, in early March this year, news broke that malicious JavaScript code was deployed into more than 1,000 WordPress websites, following compromised extras. Users are advised to only keep the add-ons they are actually using, and to keep them updated at all times.

Via BleepingComputer

You might also like

• Thousands of WordPress sites targeted with malicious plugin backdoor attacks
• Take a look at our guide to the best authenticator app
• We've rounded up the best password managers