Description
The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.
Published: 2025-05-20
Score: 9.8 Critical
EPSS: 43.9% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Motors theme for WordPress is vulnerable to privilege escalation because the theme fails to verify a user’s identity before allowing a password change. An unauthenticated attacker can modify the password of any user, including administrators, by exploiting this flaw. This weakness is identified as a failure to authenticate before mutating account data.

Affected Systems

All installations of StylemixThemes Motors Car Dealer, Rental & Listing WordPress theme with versions 5.6.67 or earlier are affected. The vulnerability impacts the authentication and account management components of the theme.

Risk and Exploitability

The CVSS score of 9.8 combined with an EPSS score of 44% indicates a high‑severity vulnerability with a moderate exploitation probability. The vulnerability is not yet listed under CISA KEV. Based on the description, the likely attack vector involves an unauthenticated HTTP request to the theme’s password‑change endpoint, which does not enforce identity checks and returns a successful response upon submission.

Generated by OpenCVE AI on May 5, 2026 at 14:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Motors theme to the latest release, which removes the unsecured password‑change endpoint.
  • If an update cannot be applied immediately, restrict or disable the password reset functionality for all user roles until the theme is patched.
  • Deploy a WAF rule that blocks unauthenticated POST requests to the theme’s password‑change API endpoint.

Generated by OpenCVE AI on May 5, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.28816}

 epss

{'score': 0.30799}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.30799}

 epss

{'score': 0.28816}

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.32678}

 epss

{'score': 0.30799}

Tue, 20 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 20 May 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.
Title Motors <= 5.6.67 - Unauthenticated Privilege Escalation via Password Update/Account Takeover
Weaknesses CWE-620
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:49.975Z

Reserved: 2025-05-05T14:51:49.129Z

Link: CVE-2025-4322

cve-icon Vulnrichment

Updated: 2025-05-20T14:02:36.287Z

cve-icon NVD

Status : Deferred

Published: 2025-05-20T06:15:38.883

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4322

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T14:45:05Z

Weaknesses