Threat actors are aggressively exploiting a critical security flaw in the “Alone – Charity Multipurpose Non-profit WordPress Theme,” putting countless websites at risk of a complete takeover. The vulnerability, identified as CVE-2025-5394, has been assigned a critical CVSS severity score of 9.8 out of 10. The security bug, discovered and reported by researcher Thái An, affects all versions of the theme up to and including 7.8.3. A patch was released on June 16, 2025, in version 7.8.5.
According to the security firm Wordfence, the vulnerability is an arbitrary file upload weakness rooted in a specific function called alone_import_pack_install_plugin().
The core issue is a missing capability check within this function. This oversight allows an unauthenticated attacker to abuse an AJAX action, tricking the website into installing a malicious plugin from a remote source. This effectively grants the attacker the ability to upload any file, leading to remote code execution and ultimately, full control of the compromised website.
Evidence shows that cybercriminals began exploiting this vulnerability on July 12, a full two days before the flaw was publicly disclosed. This short window suggests that the attackers may have reverse-engineered the patch by monitoring code changes to develop an exploit quickly. Wordfence reported that it has already blocked over 120,900 exploit attempts targeting CVE-2025-5394, indicating a widespread and automated attack campaign.
In the observed attacks, hackers are using the vulnerability to upload malicious ZIP archives, often named “wp-classic-editor.zip” or “background-image-cropper.zip”. These archives contain PHP-based backdoors that allow the attackers to execute remote commands, upload additional malicious files, and install fully-featured file managers. A primary goal of these attacks is to create rogue administrator accounts, giving the threat actors persistent access and control over the infected WordPress sites.
Mitigation and Recommendations.
To defend against these attacks, it is crucial for all users of the “Alone” WordPress theme to update to version 7.8.5 immediately. After updating, website owners should conduct a thorough security check. This includes reviewing the user list for any suspicious administrator accounts that they did not create. Furthermore, administrators should scan their server access logs for any requests to /wp-admin/admin-ajax.php that include the parameter action=alone_import_pack_install_plugin, as this is a clear indicator of an attempted or successful exploit.
Reference:
