Critical Arbitrary File Upload Vulnerability in Motors Theme Affects 20,000+ WordPress Sites
A critical arbitrary file upload vulnerability in the Motors WordPress theme, tracked as CVE-2025-64374, allows any authenticated user to install and activate arbitrary plugins, leading to full site takeover.
A critical arbitrary file upload vulnerability has been discovered in the Motors WordPress theme, a popular theme designed for automotive websites. Tracked as CVE-2025-64374, the flaw affects over 20,000 active installations and allows any authenticated user, even those with only Subscriber-level privileges, to install and activate arbitrary plugins, potentially leading to a complete site takeover.
The vulnerability resides in the `mvl_theme_install_base` AJAX function, which is responsible for installing and activating plugins from the WordPress admin dashboard. The function is hooked to the `wp_ajax_mvl_theme_install_base` action, making it accessible to any logged-in user. While the function includes a nonce check via `check_ajax_referer`, the nonce value itself is exposed to Subscriber-level users on the admin base page. As the WordPress developer documentation warns, nonces should never be relied upon for authentication or access control.
Because the function lacks a proper permission check using `current_user_can()`, an attacker with a Subscriber account can supply an arbitrary plugin URL via the `$_GET['plugin']` parameter. The `Plugin_Upgrader` class then downloads and installs the plugin from that URL, and the `mvl_theme_activate_plugin_activate` function activates it. This allows an attacker to inject malicious code into the site, achieving full remote code execution and complete control over the WordPress installation.
The vulnerability was discovered and reported by Denver Jackson, a member of the Patchstack Alliance community. Patchstack has credited Jackson for the responsible disclosure. The flaw has been patched in version 5.6.82 of the Motors theme. The patch adds a `current_user_can` permissions check to the `mvl_theme_install_base` function, ensuring that only users with the appropriate administrative privileges can trigger the plugin installation and activation process.
Site administrators using the Motors theme are strongly advised to update to version 5.6.82 or later immediately. Given that the vulnerability can be exploited by any authenticated user, including subscribers who may have registered accounts on public-facing sites, the risk of exploitation is significant. Attackers could use this flaw to install backdoors, deface sites, steal sensitive data, or pivot to other attacks on the server.
This vulnerability highlights a common security pitfall in WordPress development: relying on nonces for access control instead of proper capability checks. Nonces are designed to prevent cross-site request forgery (CSRF), not to authenticate user permissions. Developers should always use `current_user_can() or similar functions to verify that the current user has the required capabilities before performing privileged actions. The Motors theme vulnerability serves as a reminder that even popular, well-maintained themes can contain critical flaws when access control is not properly implemented.