Urgent WordPress Alert: Motors Theme Flaw (CVE-2025-4322) Actively Exploited for Site Takeover

Last month, a critical vulnerability was reported to Wordfence that now threatens more than 22,000 WordPress websites using the popular Motors automotive dealership theme. Tracked as CVE-2025-4322 and rated CVSS 9.8, the vulnerability enables unauthenticated attackers to reset any user’s password, including administrators, resulting in full site takeover.

“This vulnerability makes it possible for an unauthenticated attacker to change the password of any user, including an administrator, which allows them to take over the account and the website,” Wordfence warned in its blog post.

Following the public disclosure on May 19, threat actors began targeting vulnerable sites almost immediately, with mass exploitation observed beginning on June 7th, 2025. Since then, the Wordfence Firewall has blocked over 23,100 exploit attempts, confirming the vulnerability is under active attack.

The flaw lies in how the Motors theme handles the “Login Register” widget, which includes a password reset function. An attacker only needs to discover the page containing this widget and then manipulate the hash_check parameter to exploit the password reset mechanism.

Specifically, malformed or invalid UTF-8 characters—such as %80, %C0, or %25C0—are passed into the hash_check parameter. These characters are stripped during processing, causing the hash comparison to erroneously succeed and allowing the attacker to set a new password.

“The hash_check parameter must be a sequence of invalid utf8 character(s), which get stripped and cause the hash comparison to succeed,” Wordfence explains.

Attackers are attempting password resets across a wide range of common URL paths such as /reset-password, /account, or /signin. Below are sample attack payloads:

POST /index.php/login-register/?user_id=3&hash_check=%80
POST /account/?user_id=1&hash_check=%25C0
POST /reset-password?user_id=1&hash_check=%C0

These requests include the new password in the POST body under the parameter stm_new_password.

Wordfence identified the most active malicious IPs attempting to exploit CVE-2025-4322:

• 198.2.233.90 – Over 4,700 blocked requests
• 192.210.243.217 – Over 3,600
• 123.253.111.178 – Over 3,200
• 217.142.21.233, 8.217.154.123, and others have also been flagged

“Most of the requests we blocked would likely have led to site compromises if they did not have Wordfence installed,” the report warns.

If you’re using the Motors theme and:

• Admin credentials no longer work
• New unauthorized admin accounts have appeared
• Access logs show suspicious hash_check parameters (starting with % and short in length)

…it’s possible your site has been compromised.

Look for these access log patterns:

?user_id=1&hash_check=%80
?user_id=1&hash_check=%C0

If your site uses the Motors WordPress theme, take the following steps immediately:

• Update to version 5.6.68 or later, the only currently patched version
• Review your admin users list for suspicious accounts
• Monitor your access logs for hash_check anomalies
• Enable and configure a firewall like Wordfence, which is actively blocking this exploit

Related Posts:

• High Risk (CVSS 9.8): Motors Theme Flaw Exposes 22,000+ WordPress Sites to Full Takeover
• Kawasaki Europe Navigates Ransomware Incident, Recovery in Progress
• WordPress Malware Alert: Fake Anti-Malware Plugin Grants Admin Access and Executes Remote Code
• New WordPress Malware Masquerades as Legit Plugin with Data Exfiltration and RCE Capabilities

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy