Mass exploitation of a critical-severity vulnerability within the Motors theme for WordPress began a number of weeks after public disclosure, WordPress safety agency Defiant warns.
The Motors theme is geared toward automotive dealership companies, together with automobile, motorbike, boat, and automobile rental sellers, providing pre-built web sites and templates, and help for itemizing, person and supplier administration.
The exploited vulnerability, tracked as CVE-2025-4322 (CVSS rating of 9.8), is described as a privilege escalation concern by way of account takeover.
The bug exists as a result of the theme fails to correctly validate person identities previous to updating account passwords, which permits attackers to vary the password of any person account.
“This makes it doable for unauthenticated attackers to vary arbitrary person passwords, together with these of directors, and leverage that to realize entry to their account,” a NIST advisory reads.
The safety defect was patched on Could 14 and publicly disclosed on Could 19. In accordance with Defiant, the primary exploitation makes an attempt focusing on the bug had been noticed on Could 20, whereas mass exploitation began on June 7.
The WordPress safety agency warns that over 22,000 web sites are utilizing the theme, and that it has blocked greater than 23,000 exploit makes an attempt focusing on CVE-2025-4322 because the vulnerability was publicly disclosed.
The difficulty impacts the theme’s Login Register widget, which incorporates the susceptible password restoration perform. As a result of the perform doesn’t forestall password updates if the hash from the person meta worth is empty, an attacker can replace the person’s password if the person has not requested a password reset.Commercial. Scroll to proceed studying.
Profitable exploitation of the safety defect, Defiant notes, can result in full web site compromise, as it might present attackers with entry to all administrative capabilities.
“This contains the power to add plugin and theme recordsdata, which will be malicious zip recordsdata containing backdoors, and to switch posts and pages which will be leveraged to redirect web site customers to different malicious websites or inject spam content material,” the safety agency explains.
CVE-2025-4322 was resolved in Motors theme model 5.6.68. Customers are suggested to replace to the patched model or a more recent launch as quickly as doable.
Associated: ‘AkiraBot’ Spammed 80,000 Web sites With AI-Generated Messages
Associated: Second OttoKit Vulnerability Exploited to Hack WordPress Websites
Associated: Vulnerability in OttoKit WordPress Plugin Exploited within the Wild
Associated: Risk Actors Deploy WordPress Malware in ‘mu-plugins’ Listing
