A severe remote code execution (RCE) vulnerability has been identified in the Alone WordPress theme, a popular choice for charity-focused websites. This flaw, designated as CVE-2025-5394 with a maximum CVSS score of 9.8, is currently being actively exploited by malicious actors to gain full control over affected sites. The vulnerability impacts versions 7.8.3 and earlier of the theme, which is utilized by over 9,000 websites.
Technical Details of the Vulnerability
The root cause of this vulnerability lies in the `alone_import_pack_install_plugin()` function within the theme’s codebase. This function, responsible for handling plugin installations during the theme’s setup process, lacks proper capability checks. Consequently, unauthenticated attackers can exploit the `wp_ajax_nopriv_alone_import_pack_install_plugin` AJAX action to upload arbitrary files disguised as plugins from remote sources.
The vulnerable function processes POST data without adequate authentication:
“`php
function alone_import_pack_install_plugin() {
if (isset($_POST[‘plugin_source’])) {
$plugin_source = $_POST[‘plugin_source’];
// Plugin installation logic
}
}
“`
This design flaw enables attackers to install malicious plugins containing webshells and backdoors by sending crafted requests to `/wp-admin/admin-ajax.php?action=alone_import_pack_install_plugin`. The vulnerability allows both local plugin slugs and remote sources via the `plugin_source` parameter, making exploitation straightforward for cybercriminals.
Active Exploitation in the Wild
Reports indicate that exploitation of this vulnerability began on July 12, 2025, two days before its public disclosure. This suggests that attackers are closely monitoring software patches for newly fixed security issues. Security researchers have documented over 120,900 blocked exploit attempts since monitoring commenced.
Attackers are deploying sophisticated malware through malicious zip files with names like `wp-classic-editor.zip` and `background-image-cropper.zip`. One captured backdoor sample demonstrates typical obfuscation techniques:
“`php
“`
The most active attacking IP addresses include 193.84.71.244 (39,900+ requests) and 87.120.92.24 (37,100+ requests). Malicious domains hosting exploit payloads include `cta.imasync[.]com` and `dari-slideshow[.]ru`.
Mitigation and Recommendations
Website administrators using the Alone theme are strongly advised to take the following actions immediately:
1. Update the Theme: Upgrade to version 7.8.5 or later, which includes patches addressing this vulnerability.
2. Inspect for Malicious Plugins: Examine the `/wp-content/plugins` and `/wp-content/upgrade` directories for any unauthorized or suspicious plugin installations.
3. Review Access Logs: Analyze server access logs for requests matching the exploit pattern, particularly those targeting the `alone_import_pack_install_plugin` function.
4. Implement Security Measures: Utilize security plugins and firewalls to monitor and block malicious activities.
For users of security solutions like Wordfence, firewall rules addressing this vulnerability were released on May 30, 2025, with free tier users receiving protection from June 29. Ensuring that security plugins are up-to-date is crucial in mitigating potential threats.
Conclusion
The active exploitation of the RCE vulnerability in the Alone WordPress theme underscores the critical importance of timely software updates and vigilant security practices. Website administrators must remain proactive in monitoring for vulnerabilities and implementing necessary patches to safeguard their sites against potential compromises.
