WordPress: Attacks on security vulnerability in the "Motors" theme

IT security researchers have discovered a critical security vulnerability in the WordPress theme “Motors”. It allows attackers to extend their rights and subsequently compromise vulnerable WordPress instances. This is exactly what has apparently been happening since the beginning of June.

According to the vulnerability description, the vulnerability consists of the theme not correctly validating the identity of users before accepting password changes. Attackers from the network can thus change passwords of any user without prior authentication – including that of the admin, and thus gain full access (CVE-2025-4322 / EUVD-2025-15813, CVSS 9.8, risk “critical”).

The IT security researchers at Wordfence write in an analysis that they have been observing mass abuse of the vulnerability in the theme since June 7. The full name of the theme is “Motors — Car Dealer, Rental & Listing”. According to the provider's website, it has been sold around 22,500 times. It is therefore apparently widely used.

“Motors” theme: Vulnerable versions

The vulnerability can be found in the “Motors” theme up to and including version 5.6.67. The developers have patched the vulnerability in version 5.6.68 from June 12 and newer versions. Admins who rely on the theme should update it quickly and, if necessary, check their WordPress instance to see whether any unusual activity has been noticed or user accounts have been modified without authorization.

There are so many plug-ins and themes for the popular website CMS WordPress, some of which come from less professional providers, that security vulnerabilities are constantly coming to light. On Thursday of this week, for example, it became known that the WordPress plug-in “AI Engine”, which is used on more than 100,000 WordPress instances, has a high-risk vulnerability that could also allow attackers to completely compromise the instance. Updated software is also available for this, which admins should install quickly.

(dmk)