Critical Vulnerability in Motors WordPress Theme Exposes Sites to Full Takeover A severe security flaw in the Motors WordPress theme (CVE-2025-64374) has been disclosed, allowing logged-in users with minimal privileges—such as Subscribers—to gain full control of affected websites. The vulnerability stems from an arbitrary file upload issue, enabling attackers to install and activate malicious plugins, leading to potential remote code execution and complete site compromise. The Motors theme, developed by StylemixThemes, is a popular solution for automotive websites, including car dealerships, rental platforms, and classified listings, with over 20,000 active installations. The flaw affects versions 5.6.81 and below and was discovered by Denver Jackson of the Patchstack Alliance. The vulnerability resides in an AJAX handler that permits plugin installation via a backend function. While the function uses a nonce for request validation, it lacks proper permission checks. Since Subscriber-level users can access the nonce value through the WordPress admin interface, they can supply arbitrary plugin URLs, bypassing security controls. Patchstack emphasized that this issue reflects a broader problem in WordPress security: nonces are not a substitute for access control. The WordPress developer documentation warns that nonces should never be relied upon for authentication or authorization, recommending the use of `current_user_can()` checks instead. The flaw was patched in Motors version 5.6.82, released on 3 November, following responsible disclosure to the vendor in September. The update introduces a permission check to restrict plugin installation and activation to authorized users only. Site owners using the Motors theme are urged to update immediately to mitigate the risk, as unpatched installations remain vulnerable to one of the most critical classes of WordPress exploits.

The Motors theme, a premium WordPress theme developed by StylemixThemes, was found to have a critical vulnerability (CVE-2025-4322). This flaw allowed threat actors to take over admin accounts and gain full control of the websites using the theme. The issue was due to improper validation of user identities before updating passwords. The developers released a fix, but all versions up to 5.6.68 were affected. The theme, which is used by auto dealers and related services, has been sold over 22,300 times, making it a significant target for cybercriminals.