22,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Motors WordPress Theme

📢 In case you missed it, Wordfence just published its annual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond.

On May 2nd, 2025, we received a submission for a Privilege Escalation vulnerability in Motors, a WordPress theme with more than 22,000 sales. This vulnerability makes it possible for an unauthenticated attacker to change the password of any user, including an administrator, which allows them to take over the account and the website.

Props to Foxyyy who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $1,073.00 for this discovery, which included a 10% meaningful researcher bonus for submitting an easy to reproduce report. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 6, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on June 5, 2025.

We contacted the StylemixThemes team on May 5, 2025, and received a response on May 8, 2025. After providing full disclosure details, the developer released a patch on May 14, 2025. We would like to commend the StylemixThemes team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of Motors, version 5.6.68 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Motors <= 5.6.67 – Unauthenticated Privilege Escalation via Password Update/Account Takeover

9.8

CVSS Rating
9.8 (Critical)

CVE-ID
CVE-2025-4322

Affected Versions
<= 5.6.67

Patched Version
5.6.68

Bounty
$1,073.00

Affected Software

Motors

Affected Software Slug

motors

Researcher

Foxyyy

The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user’s identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.

More Details >

Technical Analysis

Motors is a car dealer, rental and listing WordPress theme available on the ThemeForest marketplace.

The Login Register widget includes the password-recovery.php template file from the theme, with the following code snippet:

<div class="stm-login-register-form">
	<?php if ( ! empty( $_GET['user_id'] ) && ! empty( $_GET['hash_check'] ) ) : // phpcs:ignore WordPress.Security.NonceVerification.Recommended ?>
		<?php get_template_part( 'partials/user/private/password', 'recovery' ); ?>
	<?php endif; ?>

The password-recovery.php template file contains the following code snippet, which handles password updates:

<?php
$user_id_get = intval($_GET['user_id']);
$user_hash_check = esc_attr($_GET['hash_check']);
$message = '';
$error = false;

$user_exist = get_user_by('id', $user_id_get);

if(!$user_exist) {
    $error = true;
}

$user_hash = get_the_author_meta('stm_lost_password_hash',$user_id_get);
if($user_hash !== $user_hash_check) {
    $error = true;
}

if(!empty($_POST['stm_new_password']) and !$error) {
    $new_password = stm_motors_sanitize_text_field($_POST['stm_new_password']);
    wp_set_password($new_password, $user_id_get);

Unfortunately, the function does not include any checks to prevent the password update when the hash is empty. This means that if the user hasn’t requested a password reset and the $user_hash from the user meta is empty, the attackers can update the user’s password.

While there is a check to ensure that the $_GET['hash_check'] parameter is not empty in the widget before the template file include, it is possible to bypass this check by supplying an invalid utf8 character that will get stripped through the esc_attr() function, which occurs after the !empty($_GET['hash_check']) check. This makes it possible for an attacker to send a request with an invalid utf8 value in the hash_check parameter that will get stripped and make the hash comparison result in a success allowing the password to be changed. We expect most users wouldn’t have an active password reset request in making this exploitable on the vast majority of sites.

As with any Arbitrary User Password Change that leads to a Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site, they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and to modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content.

Disclosure Timeline

May 2, 2025 – We received the submission for the Privilege Escalation vulnerability in Motors via the Wordfence Bug Bounty Program.
May 5, 2025 – We validated the report and confirmed the proof-of-concept exploit.
May 5, 2025 – We initiated contact with the theme vendor asking that they confirm the inbox for handling the discussion.
May 6, 2025 – Wordfence Premium, Care, and Response users received a firewall rule to provide protection against any exploits that may target this vulnerability.
May 8, 2025 – The vendor confirmed the inbox for handling the discussion.
May 8, 2025 – We sent over the full disclosure details to the vendor. The vendor acknowledged the report and began working on a fix.
May 14, 2025 – The fully patched version of the theme, 5.6.68, was released.
June 5, 2025 – Wordfence Free users will receive the same protection.

Conclusion

In this blog post, we detailed a Privilege Escalation vulnerability within the Motors theme affecting versions 5.6.67 and earlier. This vulnerability makes it possible for unauthenticated threat actors to easily take over websites by resetting the password of any user, including administrators. The vulnerability has been fully addressed in version 5.6.68 of the theme.

We encourage WordPress users to verify that their sites are updated to the latest patched version of Motors as soon as possible considering the critical nature of this vulnerability.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 6, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on June 5, 2025.

If you know someone who uses this theme on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

The post 22,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Motors WordPress Theme appeared first on Wordfence.