Critical Vulnerability Found in Popular WordPress Theme
Recent security assessments have revealed a significant vulnerability in the "Alone – Charity Multipurpose Non-profit WordPress Theme," which could jeopardize websites relying on this plugin. This flaw, designated as CVE-2025-5394, has been assigned an alarming CVSS score of 9.8, indicating its severe nature. The security researcher Thái An has been pivotal in reporting this issue.
Details of the Vulnerability
According to findings from Wordfence, the vulnerability pertains to an arbitrary file upload feature that affects all versions of the plugin prior to 7.8.3. The issue has been rectified in the latest version, 7.8.5, which was released on June 16, 2025.
The root of this vulnerability lies in a function named "alone_import_pack_install_plugin()", which lacks proper capability checks. This oversight enables unauthenticated users to upload arbitrary plugins from external sources using AJAX, ultimately allowing for remote code execution.
Potential Exploits and Threats
István Márton from Wordfence stated, "This vulnerability enables an unauthenticated attacker to upload arbitrary files to a vulnerable site and achieve remote code execution, typically leading to a complete site takeover." This stark warning highlights the potential risks associated with the flaw, as it can allow malicious users to manipulate vulnerable sites easily.
Evidence suggests that the exploitation of CVE-2025-5394 began as early as July 12, 2025, just two days before the vulnerability was made public. This rapid exploitation indicates that some attackers were closely monitoring changes in the code for newly identified vulnerabilities.
Attempts to Exploit the Vulnerability
Since the discovery of this vulnerability, Wordfence has successfully blocked 120,900 attempts to exploit it. These malicious activities have been traced back to various IP addresses, including:
- 193.84.71.244
- 87.120.92.24
- 146.19.213.18
- 185.159.158.108
- 188.215.235.94
- 146.70.10.25
- 74.118.126.111
- 62.133.47.18
- 198.145.157.102
- 2a0b:4141:820:752::2
Common Tactics in Exploits
The attacks leveraging this vulnerability typically involve uploading ZIP archives, such as "wp-classic-editor.zip" or "background-image-cropper.zip". These archives often contain PHP-based backdoors, allowing attackers to execute remote commands and upload further malicious files. In addition, the exploits can deploy fully functioning file managers and backdoors capable of establishing unauthorized administrative accounts.
Recommendations for Site Owners
To protect against potential threats stemming from this vulnerability, WordPress site owners using the Alone theme are strongly advised to take immediate action. Steps include:
- Updating to the latest version of the plugin.
- Checking for any suspicious administrative users within the site’s backend.
- Reviewing logs for any requests related to "/wp-admin/admin-ajax.php?action=alone_import_pack_install_plugin."
By following these recommendations, website administrators can significantly mitigate the risks associated with this critical vulnerability and better secure their online presence.
