A critical security flaw tracked as CVE-2025-4322 has left a widely used premium WordPress theme exposed to attackers.

Cybercriminals have been exploiting this vulnerability in the Motors theme to seize administrator accounts, allowing them to fully compromise websites—modifying information, inserting fake content, and distributing malicious payloads.

Developed by StylemixThemes, Motors has become especially popular with automotive websites, recording nearly 22,500 purchases on EnvatoMarket. Security researchers first identified the flaw on May 2, 2025, and a fix was issued with version 5.6.68 on May 14. Users who have updated to this version are protected, while those still running versions up to 5.6.67 remain vulnerable.

“This is due to the theme not properly validating a user’s identity prior to updating their password,” Wordfence explained.

“This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.”

Despite the release of the patch, attacks began surfacing as early as May 20. By June 7, researchers observed widespread exploitation, with Wordfence reporting it had already blocked over 23,000 attack attempts. The firm also shared lists of IP addresses involved in the attacks, many launching thousands of intrusion efforts.

“One obvious sign of infection is if a site’s administrator is unable to log in with the correct password as it may have been changed as a result of this vulnerability,” the researchers explained.

To secure their sites, users of the Motors theme are strongly advised to upgrade to version 5.6.68 immediately, which addresses the flaw and prevents further account takeovers.