A critical vulnerability in the popular Motors WordPress theme has put around 22,000 websites at risk. The flaw allows attackers to take full control of affected sites without needing to log in.
Security experts discovered that the vulnerability, tracked as CVE-2025-4322, allows unauthenticated users to reset passwords for any account, including administrators. The issue affects all Motors theme versions up to 5.6.67.
How the Vulnerability Works
The problem lies in the theme’s password reset feature. The template file password-recovery.php fails to verify users properly during password changes.
Although the function checks that a hash is present, attackers can bypass this by sending an invalid UTF-8 character. This character is stripped by the esc_attr() function, allowing the password reset to proceed without valid authorization.
Security researcher Friderika Baranyai, also known as “Foxyyy,” discovered the flaw and reported it through the Wordfence Bug Bounty Program. She received a reward of over $1,000.
What Attackers Can Do
If attackers gain admin access through this flaw, they can:
- Upload malicious themes or plugins with backdoors
- Redirect users to harmful websites
- Inject spam or malware
- Steal sensitive user data
Growing Security Concerns
This vulnerability adds to growing concerns about WordPress security. According to Wordfence, reported WordPress vulnerabilities increased by 68% in 2024 compared to the previous year.
Risk Summary
| Risk Factor | Details |
|---|---|
| Affected Product | Motors WordPress Theme (versions ≤5.6.67) |
| Impact | Attackers can reset any user’s password and gain admin access |
| Exploit Conditions | 1. Public access to vulnerable WordPress site 2. Motors theme is active |
| CVSS Score | 9.8 (Critical) |
Mitigation and Protection
Website owners using the Motors theme should update to version 5.6.68 or newer, released by developer StylemixThemes on May 14, 2025.
For those unable to update immediately, these options can help protect affected sites:
- Wordfence Premium, Care, and Response users received a firewall rule on May 6, 2025
- Free Wordfence users will receive the same protection on June 5, 2025
- Site admins can temporarily disable the theme until updates are applied
This incident highlights the need to keep all themes and plugins up to date. It also shows the value of layered security solutions, like Wordfence, that can block attacks before a patch is available.
