CVE-2025-4322: A Single Line of Code Let Hackers Take Over Thousands of Sites Instantly
First comes the password reset. Then a new admin. Then—you lose control completely.
A critical vulnerability in the Motors WordPress theme allowed hackers to silently seize admin rights and gain full control over affected sites. The flaw, designated CVE-2025-4322, is a privilege escalation bug discovered on May 2, 2025, and analyzed by the Wordfence security team, which released a detailed report on May 19, urging immediate patching.
Motors is a premium WordPress theme by StylemixThemes, widely used for automotive-related websites—from dealerships to vehicle marketplaces. Available on EnvatoMarket, it has been downloaded over 22,460 times.
The vulnerability affects all versions up to and including 5.6.68. A patch was released on May 14, but many administrators failed to update in time. By May 20, just a day after public disclosure, active exploit attempts had already begun. By June 7, Wordfence recorded more than 23,100 exploitation attempts.
The Vulnerability
The flaw lies in the “Login Register” widget, responsible for login, registration, and password recovery. The core issue is in the password reset logic.
How the attack works:
- The attacker locates an active reset path, such as /login-register, /account, /reset-password, or /signin.
- They send a series of POST requests with malformed parameters, probing until the server responds positively.
- The exploit relies on a malicious value in the hash_check parameter — encoded with invalid UTF-8 characters.
- This causes the hash validation to fail silently, tricking the system into thinking the request is legitimate.
- The attacker then supplies a new password via the stm_new_password parameter and specifies ID=1 — typically the site’s original admin user.
As a result, the attacker resets the admin password, gains access to the site backend, and may create additional admin accounts to maintain long-term control.
Warning Signs and Threat Indicators
Wordfence reports common signs of compromise include:
- Unexpected admin lockouts
- Appearance of new administrator accounts
Several password combinations used in the attacks have been identified:
ruby
КопироватьРедактировать
Testtest123!@#
rzkkd$SP3znjrn
Kurd@Kurd12123
owm9cpXHAZTk
db250WJUNEiG
If any of these appear in logs or admin user lists, it’s a strong signal of exploitation.
Wordfence also published a list of malicious IPs, and recommends temporarily blocking them at the web server level to mitigate automated attacks.
Recommended Actions
- Update to Motors version 5.6.68 immediately.
- Audit all administrator accounts.
- Review server and admin logs for suspicious activity.
- Consider resetting passwords for all critical accounts.
- Enable additional security measures such as 2FA and rate limiting on reset forms.
This case underscores how a single overlooked function in a popular theme can lead to mass compromise. Prompt updates and regular audits are crucial to safeguarding WordPress environments.
