Cyber Resilience

CVE-2025-4322

Critical

Published: 20 May 2025

Published
20 May 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3114 96.9th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-4322 is a critical-severity Unverified Password Change (CWE-620) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 3.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to and including 5.6.67. The flaw stems from insufficient validation of a user's identity before allowing a password update, which is tracked under CWE-620 and carries a CVSS 3.1 score of 9.8.

Unauthenticated attackers can exploit the issue over the network to modify the password of any account, including administrator accounts, thereby gaining full access without prior authentication or user interaction.

The referenced advisories from the theme's ThemeForest listing and Wordfence threat intelligence do not detail specific patches or mitigation steps in the supplied information.

EPSS for the CVE reached a peak of 0.4386 after disclosure, indicating emerging exploitation interest that warrants renewed attention even though the current score has moderated to 0.3114.

EU & UK References

Vulnerability details

The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user's identity prior to updating their password. This makes…

more

it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Themeforest
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References