Last month, a critical vulnerability was reported to Wordfence that now threatens more than 22,000 WordPress websites using the popular Motors automotive dealership theme. Tracked as CVE-2025-4322 and rated CVSS 9.8, the vulnerability enables unauthenticated attackers to reset any userβs password, including administrators, resulting in full site takeover.
βThis vulnerability makes it possible for an unauthenticated attacker to change the password of any user, including an administrator, which allows them to take over the account and the website,β Wordfence warned in its blog post.
Following the public disclosure on May 19, threat actors began targeting vulnerable sites almost immediately, with mass exploitation observed beginning on June 7th, 2025. Since then, the Wordfence Firewall has blocked over 23,100 exploit attempts, confirming the vulnerability is under active attack.
The flaw lies in how the Motors theme handles the βLogin Registerβ widget, which includes a password reset function. An attacker only needs to discover the page containing this widget and then manipulate the hash_check parameter to exploit the password reset mechanism.
Specifically, malformed or invalid UTF-8 charactersβsuch as %80, %C0, or %25C0βare passed into the hash_check parameter. These characters are stripped during processing, causing the hash comparison to erroneously succeed and allowing the attacker to set a new password.
βThe hash_check parameter must be a sequence of invalid utf8 character(s), which get stripped and cause the hash comparison to succeed,β Wordfence explains.
Attackers are attempting password resets across a wide range of common URL paths such as /reset-password, /account, or /signin.
These requests include the new password in the POST body under the parameter stm_new_password.
Wordfence identified the most active malicious IPs attempting to exploit CVE-2025-4322:
198.2.233.90 β Over 4,700 blocked requests192.210.243.217 β Over 3,600123.253.111.178 β Over 3,200217.142.21.233, 8.217.154.123, and others have also been flaggedβMost of the requests we blocked would likely have led to site compromises if they did not have Wordfence installed,β the report warns.
If youβre using the Motors theme and:
Admin credentials no longer workNew unauthorized admin accounts have appearedAccess logs show suspicious hash_check parameters (starting with % and short in length)β¦itβs possible your site has been compromised.
Patch Availability >>>
If your site uses the Motors WordPress theme, take the following steps immediately:
Update to version 5.6.68 or later, the only currently patched versionReview your admin users list for suspicious accountsMonitor your access logs for hash_check anomaliesEnable and configure a firewall like Wordfence, which is actively blocking this exploit