Critical Vulnerability in Motors WordPress Theme Exposes Sites to Full Takeover
A severe security flaw in the Motors WordPress theme (CVE-2025-64374) has been disclosed, allowing logged-in users with minimal privileges—such as Subscribers—to gain full control of affected websites. The vulnerability stems from an arbitrary file upload issue, enabling attackers to install and activate malicious plugins, leading to potential remote code execution and complete site compromise.
The Motors theme, developed by StylemixThemes, is a popular solution for automotive websites, including car dealerships, rental platforms, and classified listings, with over 20,000 active installations. The flaw affects versions 5.6.81 and below and was discovered by Denver Jackson of the Patchstack Alliance.
The vulnerability resides in an AJAX handler that permits plugin installation via a backend function. While the function uses a nonce for request validation, it lacks proper permission checks. Since Subscriber-level users can access the nonce value through the WordPress admin interface, they can supply arbitrary plugin URLs, bypassing security controls.
Patchstack emphasized that this issue reflects a broader problem in WordPress security: nonces are not a substitute for access control. The WordPress developer documentation warns that nonces should never be relied upon for authentication or authorization, recommending the use of current_user_can() checks instead.
The flaw was patched in Motors version 5.6.82, released on 3 November, following responsible disclosure to the vendor in September. The update introduces a permission check to restrict plugin installation and activation to authorized users only.
Site owners using the Motors theme are urged to update immediately to mitigate the risk, as unpatched installations remain vulnerable to one of the most critical classes of WordPress exploits.
Source: https://www.infosecurity-magazine.com/news/motors-wordpress-flaw-takeover/
StylemixThemes TPRM report: https://www.rankiteo.com/company/stylemixthemes
"id": "sty1765994088",
"linkid": "stylemixthemes",
"type": "Vulnerability",
"date": "11/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': '20,000+ active installations',
'industry': 'Web Development (WordPress Themes)',
'name': 'StylemixThemes (Motors WordPress Theme)',
'type': 'Software Vendor'},
{'industry': 'Automotive, E-commerce',
'name': 'Automotive Websites (Car Dealerships, Vehicle '
'Rental Platforms, Classified Listings)',
'type': 'End Users'}],
'attack_vector': 'Privilege Escalation via AJAX Handler',
'customer_advisories': 'Users of Motors theme urged to update to version '
'5.6.82 or later.',
'date_publicly_disclosed': '2024-11-03',
'date_resolved': '2024-11-03',
'description': 'A security flaw in the Motors WordPress theme allows '
'logged-in users with minimal privileges (Subscribers and '
'above) to gain full control of affected websites via an '
'arbitrary file upload vulnerability. The flaw enables '
'malicious plugin installation and activation, leading to '
'potential code execution and site takeover.',
'impact': {'brand_reputation_impact': 'Potential reputational damage for '
'affected automotive websites',
'operational_impact': 'Full site takeover, potential malicious '
'code execution',
'systems_affected': 'WordPress websites using Motors theme '
'(versions 5.6.81 and below)'},
'investigation_status': 'Resolved',
'lessons_learned': ['Nonces alone are not sufficient to protect privileged '
'functionality',
'All actions that modify a site should enforce strict '
'permission checks',
'Logged-in users should never be assumed to be '
'trustworthy by default'],
'post_incident_analysis': {'corrective_actions': 'Added `current_user_can()` '
'permission check in Motors '
'theme version 5.6.82',
'root_causes': 'Lack of proper permission check in '
'AJAX handler, reliance on nonce '
'for access control'},
'recommendations': 'Site owners running the Motors theme are strongly advised '
'to update to version 5.6.82 or later to mitigate the '
'risk.',
'references': [{'date_accessed': '2024-11-03',
'source': 'Patchstack Advisory'},
{'source': 'WordPress Developer Documentation'}],
'response': {'communication_strategy': 'Public advisory published by '
'Patchstack',
'containment_measures': 'Patch released (version 5.6.82) with '
'`current_user_can()` permission check',
'remediation_measures': 'Update to Motors theme version 5.6.82 '
'or later',
'third_party_assistance': 'Patchstack Alliance (Vulnerability '
'Discovery and Disclosure)'},
'stakeholder_advisories': 'Developers and site owners advised to enforce '
'strict permission checks and update affected '
'themes.',
'title': 'Arbitrary File Upload Vulnerability in Motors WordPress Theme '
'(CVE-2025-64374)',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'Arbitrary File Upload (CVE-2025-64374)'}