Mass exploitation of a critical-severity vulnerability in the Motors theme for WordPress started several weeks after public disclosure, WordPress security firm Defiant warns.
The Motors theme is aimed at automotive dealership businesses, including car, motorcycle, boat, and car rental dealers, offering pre-built websites and templates, and support for listing, user and dealer management.
The exploited vulnerability, tracked as CVE-2025-4322 (CVSS score of 9.8), is described as a privilege escalation issue via account takeover.
The bug exists because the theme fails to properly validate user identities prior to updating account passwords, which allows attackers to change the password of any user account.
“This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account,” a NIST advisory reads.
The security defect was patched on May 14 and publicly disclosed on May 19. According to Defiant, the first exploitation attempts targeting the bug were observed on May 20, while mass exploitation started on June 7.
The WordPress security firm warns that over 22,000 websites are using the theme, and that it has blocked more than 23,000 exploit attempts targeting CVE-2025-4322 since the vulnerability was publicly disclosed.
The issue impacts the theme’s Login Register widget, which contains the vulnerable password recovery function. Because the function does not prevent password updates if the hash from the user meta value is empty, an attacker can update the user’s password if the user has not requested a password reset.
Successful exploitation of the security defect, Defiant notes, can lead to complete site compromise, as it would provide attackers with access to all administrative functions.
“This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and to modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content,” the security firm explains.
CVE-2025-4322 was resolved in Motors theme version 5.6.68. Users are advised to update to the patched version or a newer release as soon as possible.
Related: ‘AkiraBot’ Spammed 80,000 Websites With AI-Generated Messages
Related: Second OttoKit Vulnerability Exploited to Hack WordPress Sites
Related: Vulnerability in OttoKit WordPress Plugin Exploited in the Wild
Related: Threat Actors Deploy WordPress Malware in ‘mu-plugins’ Directory
