Hackers are actively exploiting a critical vulnerability in the WordPress theme “Motors” to take over administrator accounts and gain full control of affected websites.
The flaw, tracked as CVE-2025-4322, is a privilege escalation vulnerability that allows unauthenticated attackers to reset admin passwords without authorization. Security firm Wordfence initially discovered and disclosed the issue, warning site owners to update immediately.
Developed by StylemixThemes, the Motors theme is widely used in automotive websites and has over 22,000 sales on the EnvatoMarket platform. The vulnerability affects all versions of the theme up to and including 5.6.67. It was identified on May 2, 2025, and first disclosed publicly by Wordfence on May 19. A patched version, 5.6.68, was released on May 14, but many users failed to update before attacks began just one day after disclosure.
The flaw exists in the theme’s “Login Register” widget, which handles user login and password recovery. Attackers exploit the widget by sending crafted POST requests to commonly used URLs like /login-register, /account, or /reset-password. These requests include malformed UTF-8 characters in a ‘hash_check’ field, tricking the password reset mechanism into accepting invalid data. The attacker then provides a new password using the ‘stm_new_password’ parameter, often targeting user IDs assigned to administrator accounts.
Wordfence reports that attackers are resetting admin credentials and then logging in to create persistent backdoor admin accounts. Commonly used attacker passwords include “Testtest123!@#”, “rzkkd$SP3znjrn”, “Kurd@Kurd12123”, and others. WordPress site owners may notice signs of compromise such as being locked out of admin accounts or seeing unfamiliar admin users in their dashboard.
By June 7, Wordfence had recorded over 23,100 blocked exploitation attempts and confirmed that attacks were happening at scale. The security firm has also published a list of known malicious IP addresses used in these attacks, advising administrators to add them to block lists immediately. WordPress site owners using the Motors theme are strongly urged to upgrade to version 5.6.68 or later without delay to avoid being compromised.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
