Pierluigi Paganini July 31, 2025

Hackers exploit a critical vulnerability, tracked as CVE-2025-5394 (CVSS score of 9.8), in the Alone WordPress theme to hijack sites.

Threat actors are actively exploiting a critical flaw, tracked as CVE-2025-5394 (CVSS score of 9.8), in the “Alone – Charity Multipurpose Non-profit WordPress Theme” to compromise websites.

On May 30th, 2025, security researcher Thái An reported the bug via WordPress security firm Wordfence.

“This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover.” reads the advisory published by Wordfence.

The issue is an Arbitrary File Upload via Plugin Installation vulnerability in the Alone theme, which has more than 9,000 installations.

The flaw was exploited as zero-day, its exploitation began before public disclosure on July 14, 2025. The flaw impacts Alone theme versions up to 7.8.3, it was addressed on June 16 in version 7.8.5.

“According to our data, attackers started targeting websites on July 12th, before the vulnerability was publicly disclosed, on July 14th. A clear indication that attackers are monitoring changesets and software for newly patched vulnerabilities.” continues the report.

The researchers examined the theme code and discovered that the alone_import_pack_install_plugin() function in the Alone WordPress theme lacked capability and nonce checks, allowing unauthenticated users to access it via the wp_ajax_nopriv hook. This allowed attackers to install plugins using remote sources by sending crafted requests, leading to arbitrary file uploads and potential remote code execution. In effect, the flaw enabled full site takeover through unauthorized plugin installation.

Since the vendor patched the flaw, Wordfence has blocked over 120,900 exploit attempts. Several IP addresses, including 193.84.71.244 and 87.120.92.24, are responsible for tens of thousands of malicious requests targeting the Alone theme.

In the attacks blocked by Wordfence, threat actors exploit the flaw to upload ZIP files like “wp-classic-editor.zip” containing PHP backdoors. These let them run remote commands, upload more files, and even install full file managers or hidden admin accounts, giving them full control over the site.

WordPress site admins using the Alone theme should update to the latest version, check for suspicious admin accounts, and scan logs for requests to /wp-admin/admin-ajax.php?action=alone_import_pack_install_plugin.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Alone WordPress theme)