What the vulnerability does
01Description
The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.
Explanation of Vulnerability in Simple Terms
02Summary
The Motors WordPress theme contains a critical vulnerability affecting versions up to 5.6.67. An attacker can exploit this flaw without authentication or user interaction to compromise the site. The vulnerability allows unauthorized access to sensitive data, modification of site content, and disruption of service. All users should update immediately to a patched version.
What an attacker can do
03Attacker Capabilities
Read sensitive data, modify site content, and disrupt service without needing to log in.
Potential impact on your site
04Site Impact
Your site's data, content, and availability are at immediate risk. An attacker can compromise it without any credentials.
Conditions required to exploit
05Prerequisites
None. The attacker can exploit this remotely over the network without authentication.
Key dates
06Disclosure timeline
May 20, 2025
CVE published
April 8, 2026
Record updated