Critical RCE Flaw (CVE-2025-5394) in “Alone” WordPress Theme Actively Exploited, Allowing Full Site Takeover
Do Son 
A critical-severity vulnerability in the popular Alone – Charity Multipurpose Non-profit WordPress Theme has left thousands of WordPress sites at risk of remote code execution (RCE), according to a report from Wordfence. The flaw, now tracked as CVE-2025-5394 with a CVSS score of 9.8, allows unauthenticated attackers to upload arbitrary files via plugin installation—potentially leading to full site compromise.
“This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files to a vulnerable site and achieve remote code execution,” Wordfence explained.
The vulnerability lies in the improper use of the alone_import_pack_install_plugin() function, which lacks both capability and nonce checks. The AJAX action, exposed to unauthenticated users via the nopriv hook, allows attackers to install plugins not just from slugs, but also from remote sources, which is the key vector for exploitation.
Wordfence issued a public disclosure on July 14th, 2025, but threat actors had already begun exploiting the flaw two days earlier, on July 12th, clearly demonstrating that attackers are actively monitoring changesets for unpatched opportunities.
“The Wordfence Firewall has already blocked over 120,900 exploit attempts targeting this vulnerability,” the team reported.
Attackers leverage the flaw by sending a crafted request to:
which results in the installation of a plugin laced with a malicious PHP backdoor.
“As with all arbitrary file upload vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques.”
Some backdoors used were deceptively simple. One example outputs “ok” after checking a hashed cookie and then executes commands via a base64-decoded payload. Another example used a plugin activation hook to insert a hidden administrator account named null.
There’s also evidence of malware persistence, where one script writes a base64-decoded backdoor to /accesson.php upon execution, ensuring it can regenerate itself even if deleted.
Administrators are urged to inspect:
- /wp-content/plugins/
- /wp-content/upgrade/
Look for suspicious plugin directories or files named:
- wp-classic-editor.zip
- background-image-cropper.zip
- Top offending IPs include:
- 193.84.71.244 (over 39,900 blocked requests)
- 87.120.92.24
- 146.19.213.18
Associated malicious domains:
- cta.imasync[.]com
- wordpress.zzna[.]ru
- onerange[.]co
Wordfence recommends immediate action:
- Update to Alone Theme version 7.8.5 or later
- Scan your site using Wordfence for any suspicious plugins or backdoors
- Inspect logs for unauthorized access attempts to the vulnerable AJAX endpoint
For detailed technical breakdowns and mitigation strategies, refer to the Wordfence advisory.
Related Posts:
- Facebook emphasized the surge in malware masquerading as ChatGPT
- Apple App Store Blocks $2 Billion in Fraud in 2024 Alone
- Bitcoin ATM Scams Surge with Over $110 Million in Losses in 2023
- WordPress Malware Alert: Fake Anti-Malware Plugin Grants Admin Access and Executes Remote Code
- New WordPress Malware Masquerades as Legit Plugin with Data Exfiltration and RCE Capabilities
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
