A critical zero-day vulnerability (CVE-2025-5394) found in the widely used “Alone – Charity Multipurpose Non-profit WordPress Theme” is currently being actively exploited in the wild, putting thousands of WordPress sites at significant risk. This severe security flaw enables unauthenticated attackers to remotely upload arbitrary files and achieve full remote code execution (RCE), often resulting in complete site compromise.
Vulnerability Details
- Technical Cause: The vulnerability stems from missing capability and nonce checks in the
alone_import_pack_install_plugin()function. This insecure function is exposed through thewp_ajax_nopriv_alone_import_pack_install_pluginAJAX action, allowing attackers to bypass authentication checks. - Attack Vector: Threat actors exploit this flaw by sending specially crafted POST requests to the affected AJAX endpoint, uploading malicious ZIP archives disguised as plugins. Once processed, these ZIPs typically deploy PHP-based backdoors, hidden admin accounts, or persistent webshells.
- Scope of Impact: All theme versions up to and including 7.8.3 are vulnerable. Bearsthemes, the theme’s developer, released a patched version (7.8.5) on June 16, 2025.
- Exploitation Timeline: Malicious activity leveraging this vulnerability began as early as July 12, 2025, prior to the public disclosure of the security issue on July 14, 2025. This rapid exploitation highlights that attackers are proactively monitoring software update logs for newly patched vulnerabilities.
Widespread Impact and Ongoing Attacks
- Scale: Security experts have detected and blocked more than 120,900 exploitation attempts targeting this vulnerability. Over 9,000 WordPress sites reportedly remain at risk, particularly those that have yet to update the Alone theme.
- Modus Operandi: Attackers are primarily uploading archive files with names such as wp-classic-editor.zip and background-image-cropper.zip, which install backdoors or establish unauthorized administrative access. Several related malicious domains and IP addresses are now blacklisted by security vendors.
Recommended Actions for Site Owners
- Update Urgently: All administrators using the Alone theme should immediately update to version 7.8.5 or later to remediate the vulnerability.
- Post-Intrusion Response: Sites already compromised require a multi-pronged incident response. Administrators should:
- Audit all installed plugins for suspicious or unknown entries.
- Remove unauthorized administrator accounts.
- Scan the plugins and uploads directories for suspicious files or code.
- Review server logs for historic indicators of compromise or additional malicious activity.
