Full Report
Hackers are exploiting a critical privilege escalation vulnerability in the WordPress theme "Motors" to hijack administrator accounts and gain complete control of a targeted site. [...]
Analysis Summary
# Vulnerability: Mass Exploitation of WordPress Motors Theme to Hijack Admin Accounts
## CVE Details
- CVE ID: Not explicitly provided in the text (Note: CVE identification is pending or implied by the mass exploitation context, but a specific ID is missing from the provided snippet).
- CVSS Score: Not provided.
- CWE: Not explicitly provided, but the flaw suggests Improper Input Validation or Authentication Bypass relating to password reset logic.
## Affected Systems
- Products: WordPress Motors Theme (Specific versions are not listed, but the flaw affects versions containing the vulnerable "Login Register" widget).
- Versions: Unknown vulnerable versions preceding the patch.
- Configurations: Any WordPress site utilizing the Motors theme with the "Login Register" widget enabled, particularly functionality related to password recovery.
## Vulnerability Description
The vulnerability resides in the "Login Register" widget of the WordPress Motors theme, specifically within the password recovery functionality. Attackers can send malicious POST requests containing specially crafted, invalid UTF-8 characters within a `hash_check` parameter. This input causes an incorrect hash comparison during the password reset process, allowing the attacker to successfully execute the password reset logic. The POST body concurrently specifies a new password (`stm_new_password`), enabling the attacker to hijack the account, typically targeting administrator user IDs.
## Exploitation
- Status: Mass-exploited in the wild (Reported high volume of blocked attempts).
- Complexity: Low (Relies on automated probes and specific POST requests).
- Attack Vector: Network (HTTP requests).
## Impact
- Confidentiality: High (Gaining admin access allows viewing/stealing site data).
- Integrity: High (Ability to modify site content, settings, and user roles).
- Availability: High (Attackers create new admins and lock out legitimate admins).
## Remediation
### Patches
- Specific patch versions are not detailed in the provided text, but users must update the Motors theme to the latest version released by the vendor to incorporate the fix.
### Workarounds
1. Immediately check the WordPress dashboard for newly created, unfamiliar administrator accounts and delete them.
2. Instruct users who cannot log in to specifically check if their credentials have been changed (suggesting compromise).
3. Block the IP addresses known to be involved in the attacks (IPs were listed but are omitted here for summary brevity).
## Detection
- **Indicators of Compromise (IOCs):** Sudden appearance of new, unknown administrator accounts in the WordPress dashboard. Legitimate administrator accounts suddenly being unable to log in (passwords non-functional).
- **Detection Methods and Tools:** Monitoring web server logs for high volumes of POST requests to probable login/reset endpoints (`/login-register`, `/account`, `/reset-password`, `/signin`) containing non-standard or invalid UTF-8 characters in parameters like `hash_check`.
## References
- Vendor advisories: Not explicitly listed, but direct reference should be made to the theme developer(s).
- Relevant links:
- bleepingcomputer dot com/news/security/wordpress-motors-theme-flaw-mass-exploited-to-hijack-admin-accounts/ (Main news source)