Hackers actively exploit critical RCE in WordPress Alone theme

Threat actors are actively exploiting a critical unauthenticated arbitrary file upload vulnerability in the WordPress theme ‘Alone,’ to achieve remote code execution and perform a full site takeover.

Wordfence is reporting the malicious activity, saying it has blocked over 120,000 exploitation attempts targeting its customers.

The WordPress security firm also reports that the attacks started several days before public disclosure of the flaw, indicating that threat actors are monitoring changelogs and patches to discover trivially exploitable issues before alerts are sent to website owners.

The vulnerability, tracked under CVE-2025-5394, impacts all versions of Alone up to 7.8.3. The vendor, Bearsthemes, fixed it in Alone version 7.8.5, released on June 16, 2025.

The problem stems from the theme’s ‘alone_import_pack_install_plugin()’ function, which lacks nonce checks and is exposed via the wp_ajax_nopriv_ hook.

The function allows plugin installation via AJAX, and accepts a remote source URL in the POST data, enabling unauthenticated users to trigger plugin installations from remote URLs.

According to Wordfence, attackers leverage the flaw to upload webshells inside ZIP archives, deploy password-protected PHP backdoors that allow persistent remote command execution via HTTP requests, or create hidden administrator users.

In some cases, the attackers even install full-featured file managers that give them complete control over the site’s databases.

Given the above, signs of compromise include the appearance of new admin users, suspicious ZIP/plugin folders, and requests to ‘admin-ajax.php?action=alone_import_pack_install_plugin.’

Wordfence logged tens of thousands of exploitation attempts from the IP addresses 193.84.71.244, 87.120.92.24, 146.19.213.18, and 2a0b:4141:820:752::2, so these should be blocked immediately.

Alone is a premium theme with nearly 10,000 sales on the Envato market, primarily used by non-profits such as charities, NGOs, fundraising organizations, and social organizations.

Although Wordfence submitted a report to Bearsthemes as early as May 30, 2025, they did not hear back, so they escalated the issue to the Envato team on June 12.

Four days later, the vendor released a fixed version of Alone, v7.8.5, which is the recommended update target for all users.

Last month, another premium WordPress theme, Motors, was targeted by hackers who exploited a user validation flaw to hijack administrator accounts on vulnerable websites.