A significant security flaw has been identified in the “Alone – Charity Multipurpose Non-profit WordPress Theme,” which is actively being exploited by malicious actors to gain control over vulnerable websites. This vulnerability, designated as CVE-2025-5394, has been assigned a CVSS severity score of 9.8, indicating its critical nature. Security researcher Thái An is credited with discovering and reporting this issue.
The vulnerability affects all versions of the theme up to and including 7.8.3. It was addressed in version 7.8.5, released on June 16, 2025. The flaw resides in the “alone_import_pack_install_plugin()” function, which lacks proper capability checks. This oversight allows unauthenticated users to install arbitrary plugins from remote sources via AJAX, leading to potential code execution on the affected site.
Wordfence, a prominent WordPress security firm, has reported that this vulnerability enables attackers to upload arbitrary files to a vulnerable site, potentially resulting in a complete site takeover. Evidence indicates that exploitation of CVE-2025-5394 began on July 12, 2025, two days before the vulnerability was publicly disclosed. This suggests that attackers may have been monitoring code changes to identify and exploit newly addressed vulnerabilities.
Wordfence has blocked over 120,900 exploit attempts targeting this flaw. The attacks have originated from several IP addresses, including:
– 193.84.71.244
– 87.120.92.24
– 146.19.213.18
– 185.159.158.108
– 188.215.235.94
– 146.70.10.25
– 74.118.126.111
– 62.133.47.18
– 198.145.157.102
– 2a0b:4141:820:752::2
In the observed attacks, perpetrators have uploaded ZIP archives named “wp-classic-editor.zip” or “background-image-cropper.zip,” containing PHP-based backdoors. These backdoors allow remote command execution and the uploading of additional files. Attackers have also deployed fully-featured file managers and backdoors capable of creating unauthorized administrator accounts.
Contextual Background:
WordPress, as the world’s most popular content management system, powers a significant portion of websites globally. Its extensive ecosystem of themes and plugins offers flexibility and functionality but also introduces potential security risks. Vulnerabilities in themes and plugins can serve as entry points for attackers, leading to unauthorized access, data breaches, and site defacements.
The “Alone” theme is widely used by non-profit organizations to create engaging and functional websites. However, the recent discovery of CVE-2025-5394 underscores the importance of regular updates and vigilant security practices.
Mitigation Steps:
To protect against potential threats, WordPress site administrators using the “Alone” theme should take the following actions:
1. Update the Theme: Ensure that the theme is updated to version 7.8.5 or later, where the vulnerability has been patched.
2. Audit Administrator Accounts: Review the list of administrator accounts for any unauthorized additions and remove any suspicious accounts.
3. Monitor Logs: Examine server logs for requests to “/wp-admin/admin-ajax.php?action=alone_import_pack_install_plugin,” which may indicate exploitation attempts.
4. Implement Security Measures: Utilize security plugins and firewalls to detect and block malicious activities.
5. Regular Backups: Maintain regular backups of the website to facilitate recovery in case of a security incident.
Broader Implications:
This incident highlights a broader trend of attackers targeting vulnerabilities in WordPress themes and plugins. For instance, in early 2025, a critical vulnerability in the “Motors” theme was exploited, allowing unauthenticated attackers to change passwords and take over websites. Similarly, the “Post SMTP” plugin, with over 400,000 active installations, had a flaw that permitted low-privileged users to access email logs and reset admin passwords.
These examples emphasize the necessity for website administrators to stay informed about security advisories, apply updates promptly, and implement comprehensive security measures.
Conclusion:
The exploitation of CVE-2025-5394 in the “Alone” WordPress theme serves as a stark reminder of the ever-present threats in the digital landscape. By proactively updating themes and plugins, monitoring for suspicious activities, and adhering to best security practices, website owners can significantly reduce the risk of compromise and ensure the integrity of their online presence.
