Security Breach in Motors WordPress Theme Exposes Websites to Full Control Risks
A significant security vulnerability has been identified within the Motors WordPress theme, endangering the integrity of numerous websites by allowing logged-in users with minimal permissions to seize complete control.
This vulnerability involves an arbitrary file upload flaw, enabling users classified as Subscribers or those with higher roles to install and activate plugins. Such capability heightens the risk of executing malicious code on the affected websites.
The Motors theme, developed by StylemixThemes, has gained considerable traction as a preferred WordPress solution for automotive-oriented websites, encompassing car dealerships, vehicle rental services, and classified advertising platforms. Currently, it boasts over 20,000 active installations.
This critical flaw impacts all versions up to and including 5.6.81 and has been allocated the identifier CVE-2025-64374.
The vulnerability was detected and responsibly communicated by Denver Jackson, a member of the Patchstack Alliance. The root of the issue lies in an AJAX handler that facilitates plugin installation via a backend function.
While this function employs a nonce for request validation, it falls short in executing a thorough permission verification.
Given that the nonce value is accessible to Subscriber-level users within the WordPress administrative interface, any logged-in individual has the potential to submit an arbitrary plugin URL.
This vulnerability enables malicious plugins to be uploaded and activated, ultimately permitting an unauthorised site takeover.
Patchstack has remarked that this incident is indicative of a more pervasive problem prevalent across various WordPress components. Nonces are intended to safeguard against request forgery rather than to enforce access restrictions.
As advised in the WordPress developer documentation, “Nonces should never be relied upon for authentication, authorisation, or access control. Protect your functions using current_user_can() and always assume that nonces can be compromised.”
For more insights on WordPress theme security, explore: Critical WordPress Plugin Bugs Exploited En Masse
The vulnerability has been rectified in Motors version 5.6.82, which has integrated a current_user_can permission verification.
This update ensures that only authorised users can initiate the plugin installation and activation processes. The patch was unveiled on 3 November, subsequent to notifying the vendor in September.
The advisory released by PatchStack today emphasises several crucial takeaways for developers and site administrators:
- Nonces alone are inadequate for safeguarding privileged functionalities.
- Every action that modifies a site should implement rigorous permission checks.
- Assumptions of trustworthiness for logged-in users should never be made.
Website administrators utilising the Motors theme are strongly urged to upgrade to version 5.6.82 or later to alleviate the associated risks. Neglecting to apply this update could leave sites vulnerable to one of the most severe categories of WordPress threats.
Source link: Infosecurity-magazine.com.
