CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Arbitrary File Upload Vulnerability in Motors WordPress Theme

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A critical arbitrary file upload vulnerability (CVE-2025-64374) in the Motors WordPress theme, versions 5.6.81 and below, allows logged-in users with Subscriber-level privileges to gain full control of affected websites by uploading and activating malicious plugins. The flaw resides in an AJAX handler that lacks proper permission checks, enabling site takeovers. The vulnerability was discovered by Denver Jackson and patched in version 5.6.82 released on 3 November 2025.

Timeline

  1. 17.12.2025 18:45 1 articles · 4h ago

    Motors WordPress Theme Vulnerability Patched

    A critical arbitrary file upload vulnerability in the Motors WordPress theme, versions 5.6.81 and below, was discovered and responsibly reported by Denver Jackson. The flaw allows logged-in users with Subscriber-level privileges to gain full control of affected websites by uploading and activating malicious plugins. The vulnerability was patched in version 5.6.82, released on 3 November 2025, which introduced a current_user_can permission check.

    Show sources
    Open in new tab

Information Snippets

  • The Motors theme is widely used for automotive websites, including car dealerships and vehicle rental platforms.

    First reported: 17.12.2025 18:45
    1 source, 1 article
    Show sources

  • The vulnerability affects versions 5.6.81 and below and was assigned CVE-2025-64374.

    First reported: 17.12.2025 18:45
    1 source, 1 article
    Show sources

  • The flaw was discovered and responsibly reported by Denver Jackson, a member of the Patchstack Alliance community.

    First reported: 17.12.2025 18:45
    1 source, 1 article
    Show sources

  • The issue was fixed in Motors version 5.6.82, which introduced a current_user_can permission check.

    First reported: 17.12.2025 18:45
    1 source, 1 article
    Show sources

  • The vulnerability allows Subscriber-level users to upload and activate malicious plugins, leading to full site takeover.

    First reported: 17.12.2025 18:45
    1 source, 1 article
    Show sources

  • The flaw resides in an AJAX handler that lacks proper permission checks, allowing non-administrative users to exploit the vulnerability.

    First reported: 17.12.2025 18:45
    1 source, 1 article
    Show sources