Critical RCE Flaw in “Alone” WordPress Theme Actively Exploited, Allowing Full Site Takeover
A critical vulnerability has been discovered in the widely used WordPress theme “Alone — Charity Multipurpose Non-profit”, which is already being exploited by malicious actors to compromise websites. Tracked as CVE-2025-5394, the flaw has been assigned a CVSS score of 9.8, underscoring its extreme severity. The issue was identified by security researcher Thai An, with initial exploitation attempts observed even before the official disclosure.
The vulnerability stems from a flaw in the alone_import_pack_install_plugin() function, which fails to properly verify access permissions. This oversight allows unauthenticated users to send AJAX requests that upload arbitrary ZIP archives containing malicious payloads directly to the server—granting attackers full control over the affected site. All theme versions up to and including 7.8.3 are vulnerable. A fix was issued in version 7.8.5, released on June 16, 2025.
According to Wordfence, attacks began on July 12, two days prior to the public disclosure. This timeline suggests that attackers are closely monitoring code changes to preemptively identify and weaponize risky modifications.
Since the onset of the campaign, Wordfence specialists have recorded over 120,000 exploitation attempts. These attacks have originated from a broad range of IPv4 and IPv6 addresses, including:
193.84.71.244, 87.120.92.24, 146.19.213.18, 185.159.158.108, 188.215.235.94, 146.70.10.25, 74.118.126.111, 62.133.47.18, 198.145.157.102, and 2a0b:4141:820:752::2.
The attackers have been deploying ZIP archives named deceptively as “wp-classic-editor.zip” and “background-image-cropper.zip”, which contain PHP backdoors. These scripts enable remote command execution, file uploads, and even the creation of fake administrator accounts. In some instances, attackers have also installed full-featured file managers for continued unauthorized access to the server’s contents.
To mitigate the threat, WordPress site owners using the Alone theme are strongly urged to update immediately to version 7.8.5 or later. Beyond applying the patch, it is critical to inspect the site for suspicious administrator accounts and thoroughly analyze request logs—particularly those targeting /wp-admin/admin-ajax.php?action=alone_import_pack_install_plugin.
