A security flaw in the Motors WordPress theme has been disclosed that could allow logged-in users with minimal privileges to gain full control of affected websites.
The issue involves an arbitrary file upload vulnerability that allows Subscribers and higher-level users to install and activate plugins, potentially enabling malicious code execution.
The Motors theme is a widely used WordPress solution for automotive websites, including car dealerships, vehicle rental platforms and classified listings.
Developed by StylemixThemes, it currently has more than 20,000 active installations.
The vulnerability affects versions 5.6.81 and below and has been assigned CVE-2025-64374.
The flaw was discovered and responsibly reported by Denver Jackson, a member of the Patchstack Alliance community. It resides in an AJAX handler that allows plugin installation through a backend function. While the function uses a nonce for request validation, it lacks a proper permission check.
Because the nonce value can be accessed by Subscriber-level users from the WordPress admin interface, any logged-in user can supply an arbitrary plugin URL. This allows malicious plugins to be uploaded and activated, ultimately leading to a full site takeover.
Patchstack noted that this reflects a broader issue seen across WordPress components. Nonces are designed to protect against request forgery, not to enforce access control.
“Nonces should never be relied on for authentication, authorization, or access control. Protect your functions using current_user_can() and always assume that nonces can be compromised,” advises the WordPress developer documentation.
Read more on WordPress theme security: Critical WordPress Plugin Bugs Exploited En Masse
The issue was fixed in Motors version 5.6.82, which introduced a current_user_can permission check. This ensures that only authorized users can trigger the plugin installation and activation process. The patch was released on 3 November, following disclosure to the vendor in September.
The advisory, published by PatchStack today, highlights several key lessons for developers and site owners:
-
Nonces alone are not sufficient to protect privileged functionality
-
All actions that modify a site should enforce strict permission checks
-
Logged-in users should never be assumed to be trustworthy by default
Site owners running the Motors theme are strongly advised to update to version 5.6.82 or later to mitigate the risk. Failing to apply the update leaves sites exposed to one of the most severe classes of WordPress vulnerabilities.
