Critical arbitrary file upload flaw reported in WordPress Motors theme
Take action: If you're using the Motors WordPress theme (version 5.6.81 or below), this is important and probably urgent. Plan a quick upgrade to version 5.6.82 or later. Review all user accounts with Subscriber-level or higher privileges and check for any unauthorized plugins that may have been installed.
Learn More
An arbitrary file upload vulnerability is reported in the Motors theme for WordPress that allows any authenticated user with Subscriber-level privileges or higher to upload and activate arbitrary plugins on affected sites, potentially leading to complete website takeover.
The vulnerability is tracked as CVE-2025-64374 (CVSS score 9.9) is caused by the theme's mvl_theme_install_base function, which handles plugin installation through an AJAX handler. It lacks proper permission checks to verify whether users have the necessary privileges to install plugins. The nonce value used to protect against cross-site request forgery attacks can be accessed by any Subscriber-level user from the WordPress admin interface.
In this Motors theme vulnerability, the nonce only verifies "is this request legitimate?" but the program never checked "does this user have permission to do this?" Attackers can use this to supply arbitrary plugin URLs through the vulnerable function, allowing them to inject malicious code into the site.
Affected versions of the Motors theme include all releases from version 5.6.81 and below.
StylemixThemes patched the flaw in 5.6.82. Site owners running the Motors theme should update to version 5.6.82 or later immediately. Motors theme has already been a target of exploits this year, so there is a high chance this flaw will be exploited as well.
