Threat actors are exploiting a critical-severity vulnerability in Motors theme for WordPress to change arbitrary user passwords.
June 20, 2025 By Ionut Arghire
Mass exploitation of a critical-severity vulnerability in the Motors theme for WordPress started several weeks after public disclosure, WordPress security firm Defiant warns.
The Motors theme is aimed at automotive dealership businesses, including car, motorcycle, boat, and car rental dealers, offering pre-built websites and templates, and support for listing, user and dealer management.
The exploited vulnerability, tracked as CVE-2025-4322 (CVSS score of 9.8), is described as a privilege escalation issue via account takeover.
The bug exists because the theme fails to properly validate user identities prior to updating account passwords, which allows attackers to change the password of any user account.
