CVE-2025-4322 is a critical security vulnerability identified in the Motors - Car Dealer, Rental & Listing WordPress theme developed by StylemixThemes. The vulnerability stems from improper validation of user identity during password change requests, classified under CWE-620 (Unverified Password Change). This flaw allows unauthenticated attackers to arbitrarily change the passwords of any user, including administrators, without needing to prove ownership of the account. The issue affects all versions of the theme up to and including 5.6.67. Because the vulnerability requires no authentication (AV:N), no privileges (PR:N), and no user interaction (UI:N), it is trivially exploitable remotely. The scope is unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H), resulting in a CVSS v3.1 base score of 9.8. Exploiting this vulnerability enables attackers to take over accounts, escalate privileges, and potentially gain full control over the WordPress site, leading to data theft, site defacement, or further malware deployment. No patches or exploit code are currently publicly available, but the threat is significant given the widespread use of WordPress and the popularity of this theme in automotive-related websites. The vulnerability was published on May 20, 2025, with prior reservation on May 5, 2025, and has been enriched by CISA for awareness. Immediate remediation is critical to prevent exploitation.

The impact of CVE-2025-4322 is severe for organizations using the Motors WordPress theme. Successful exploitation allows attackers to bypass authentication controls and change passwords for any user, including administrators, leading to full account takeover. This compromises site confidentiality by exposing sensitive user and business data, integrity by allowing unauthorized content modification or malicious code injection, and availability by potentially locking out legitimate users or disrupting site operations. The vulnerability's ease of exploitation and lack of required authentication make it a high-risk vector for attackers aiming to compromise automotive dealership, rental, and listing websites. Organizations could face data breaches, reputational damage, financial loss, and regulatory penalties. Additionally, compromised sites may be leveraged for further attacks such as phishing, malware distribution, or lateral movement within corporate networks. The threat extends to managed hosting providers and agencies supporting affected clients, amplifying the potential damage.

To mitigate CVE-2025-4322, organizations should immediately update the Motors theme to a patched version once released by StylemixThemes. Until a patch is available, implement the following specific measures: 1) Disable or restrict password change functionality in the theme settings or via custom code to enforce identity verification; 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized password change attempts targeting the theme’s endpoints; 3) Enforce strong multi-factor authentication (MFA) on all administrator and privileged accounts to reduce the impact of compromised credentials; 4) Monitor logs for unusual password reset or account modification activities; 5) Limit administrative access by IP whitelisting or VPN; 6) Regularly backup site data and configurations to enable rapid recovery; 7) Conduct security audits and penetration testing focusing on authentication and authorization controls within the theme; 8) Educate site administrators about the vulnerability and encourage prompt action. These targeted steps go beyond generic advice and address the specific exploitation vector of this vulnerability.