CVE-2025-4322
Published: 20 May 2025
Summary
CVE-2025-4322 is a critical-severity Unverified Password Change (CWE-620) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 3.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to and including 5.6.67. The flaw stems from insufficient validation of a user's identity before allowing a password update, which is tracked under CWE-620 and carries a CVSS 3.1 score of 9.8.
Unauthenticated attackers can exploit the issue over the network to modify the password of any account, including administrator accounts, thereby gaining full access without prior authentication or user interaction.
The referenced advisories from the theme's ThemeForest listing and Wordfence threat intelligence do not detail specific patches or mitigation steps in the supplied information.
EPSS for the CVE reached a peak of 0.4386 after disclosure, indicating emerging exploitation interest that warrants renewed attention even though the current score has moderated to 0.3114.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-15813
Vulnerability details
The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user's identity prior to updating their password. This makes…
more
it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.