Carder.life

Carder.life (http://txgate.io:443/index.php)
-   Carding News (http://txgate.io:443/forumdisplay.php?f=38)
-   -   WordPress Motors theme flaw mass-exploited to hijack admin accounts (http://txgate.io:443/showthread.php?t=51301666)

Artifact 06-22-2025 02:27 PM
<div id="post_message_798822">

Hackers are exploiting a critical privilege escalation vulnerability in the WordPress theme "Motors" to hijack administrator accounts and gain complete control of a targeted site.<br/>
<br/>
The malicious activity was spotted by Wordfence, which had warned last month about the severity of the flaw, tracked under CVE-2025-4322, urging users to upgrade immediately.<br/>
<br/>
Motors, developed by StylemixThemes, is a WordPress theme popular among automotive-related websites. It has 22,460 sales on the <a href="https://themeforest.net/item/motors-automotive-cars-vehicle-boat-dealership-classifieds-wordpress-theme/13987211" target="_blank">EnvatoMarket </a>and is backed by an active community of users.<br/>
<br/>
The privilege escalation vulnerability was discovered on May 2, 2025, and first reported by Wordfence on May 19, impacting all versions before and including 5.6.67.<br/>
<br/>
The flaw arises from an improper user identity validation during password updating, allowing unauthenticated attackers to change administrator passwords at will.<br/>
<br/>
StylemixThemes released Motors version 5.6.68, which addresses CVE-2025-4322, on May 14, 2025, but many users failed to apply the update by Wordfence's disclosure and got exposed to elevated exploitation risk.<br/>
<br/>
As Wordfence <a href="https://www.wordfence.com/blog/2025/06/attackers-actively-exploiting-critical-vulnerability-in-motors-theme/" target="_blank">confirms in a new writeup</a>, the attacks began on May 20, only a day after they publicly disclosed the details. Wide-scale attacks were observed by June 7, 2025, with Wordfence reporting blocking 23,100 attempts against its customers.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/June/exploit-volume(1).jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Daily attack volumes. Source: Wordfence

</td>
</tr>
</table>
</div><b><font size="4"><font color="White">Attack process and signs of breach</font></font></b><br/>
<br/>
The vulnerability is in the Motors theme's "Login Register" widget, including password recovery functionality.<br/>
<br/>
The attacker first locates the URL where this widget is placed by probing /login-register, /account, /reset-password, /signin, etc., with specially crafted POST requests until they get a hit.<br/>
<br/>
The request contains invalid UTF-8 characters in a malicious 'hash_check' value, causing the hash comparison in the password reset logic to succeed incorrectly.<br/>
<br/>
The POST body contains a 'stm_new_password' value that resets the user password, targeting user IDs that typically correspond to administrator users.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/June/example-requests.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Example requests from the attacks. Source: Wordfence

</td>
</tr>
</table>
</div>Attacker-set passwords observed in the attacks so far include: <ul><li>Testtest123!@#</li>
</ul><ul><li>rzkkd$SP3znjrn</li>
</ul><ul><li>Kurd@Kurd12123</li>
</ul><ul><li>owm9cpXHAZTk</li>
</ul><ul><li>db250WJUNEiG</li>
</ul>Once access is gained, the attackers log into the WordPress dashboard as administrators and create new admin accounts for persistence.<br/>
<br/>
The sudden appearance of such accounts combined with existing administrators being locked out (passwords no longer working) are signs of CVE-2025-4322 exploitation.<br/>
<br/>
Wordfence has also listed several IP addresses that launch these attacks in the report, which WordPress site owners are recommended to put on their block list.<br/>
<br/>
<a href="https://www.bleepingcomputer.com/news/security/wordpress-motors-theme-flaw-mass-exploited-to-hijack-admin-accounts/" target="_blank">@ BleepingComputer </a>
</div>


All times are GMT. The time now is 02:44 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.