Overview
A critical security vulnerability in the popular Motors WordPress theme is being actively exploited by malicious actors to take over admin accounts on affected websites. The flaw, which impacts various versions of the theme, enables unauthorized users to escalate privileges and gain full administrative control — a situation with potentially devastating consequences for site owners.
What is the Motors Theme?
The Motors theme is a premium WordPress theme developed by StylemixThemes, widely used by automotive dealerships and classifieds businesses to build robust, feature-rich websites. With more than 38,000 customers on ThemeForest, its popularity makes it a highly attractive target for attackers.
Details of the Vulnerability
The vulnerability, tracked as CVE-2023-28456, lies in the theme’s support for the MOTORS WPBakery page builder plugin that introduces two custom user registration functions. When improperly configured, these functions allow threat actors to register unauthorized user accounts with elevated privileges, bypassing the standard WordPress registration workflow.
According to a detailed report by Defiant, the creators of Wordfence, the flaw was originally introduced through an integration plugin created for the theme known as ‘motors-elementor’ or ‘motors’. Attackers have been able to exploit these functions to create admin-level accounts, providing them unrestricted access to exploit or deface websites, inject malware, or steal proprietary data.
Active Exploitation in the Wild
Security researchers have observed a significant spike in exploitation attempts targeting websites using vulnerable versions of the Motors theme. Attackers are automating the process to gain control over as many sites as possible, often by setting up malicious admin accounts with usernames like “se_brutal”.
Who is at Risk?
- WordPress sites running outdated Motors theme versions prior to version 5.4.5
- Sites with the ‘motors’ or ‘motors-elementor’ plugin installed and active
- Website administrators who haven’t disabled the vulnerable user registration features
How to Stay Protected
If you’re using the Motors theme on your WordPress site, immediate action is essential. Follow these steps to mitigate the risk:
- Update the Motors theme to the latest version (at least 5.4.5) where the issue has been patched.
- Review site users and delete any unauthorized administrator accounts.
- Run a full malware scan using a reputable WordPress security tool like Wordfence or Sucuri.
- Disable unused plugins, especially the ‘motors’ integration plugins, if not needed.
- Consider enabling two-factor authentication (2FA) for all administrators.
Timeline of the Vulnerability
- March 2023: Vulnerability disclosed to the vendor.
- April 2023: Patch released with version 5.4.5 of the Motors theme.
- May–June 2024: Surge in mass exploitation activity reported.
Security Community’s Response
WordPress security providers – including Wordfence and Patchstack – have issued alerts to site administrators, warning about large-scale attacks leveraging this weakness. Web hosts and managed WordPress service providers are also urging customers to monitor their websites for suspicious activity and update their themes promptly.
Final Thoughts
The Motors theme vulnerability serves as another stark reminder of the importance of regular security updates and thorough plugin/theme vetting on WordPress sites. If neglected, even a trusted premium theme can become a major security liability. Website owners must stay updated, implement proactive security hardening measures, and perform regular audits to ensure that they are protected against fast-moving threats like this one.
Protect your site. Update now. Don’t wait until it’s too late.