Threat actors actively exploit a critical security flaw in “Alone – Charity Multipurpose Non-profit WordPress Theme” to take over susceptible sites.
The vulnerability, tracked as CVE-2025-5394, carries a CVSS score of 9.8. Security researcher Thái An discovered and reported the bug.
According to Wordfence, the shortcoming relates to an arbitrary file upload that affects all versions of the plugin prior to and including 7.8.3. The developers Addressed this issue in version 7.8.5, which they released on June 16, 2025.
CVE-2025-5394 originates from a plugin installation function named “alone_import_pack_install_plugin()” and stems from a missing capability check. This Oversight allows Unauthenticated users to deploy Arbitrary plugins from remote sources via AJAX, leading to code execution.
“This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover,” Wordfence’s István Márton stated.
Evidence shows that CVE-2025-5394 began to be Exploited starting July 12, just two days before the Vulnerability became publicly Disclosed. This timing indicates that the threat actors behind the campaign actively Monitored code changes for any newly Addressed Vulnerabilities.
The company reported that it has already blocked 120,900 exploit attempts targeting the flaw. The activity has originated from the following IP addresses:
- 193.84.71.244
- 87.120.92.24
- 146.19.213.18
- 185.159.158.108
- 188.215.235.94
- 146.70.10.25
- 74.118.126.111
- 62.133.47.18
- 198.145.157.102
- 2a0b:4141:820:752::2
In the observed attacks, the flaw averages an upload of a ZIP archive (“wp-classic-editor.zip” or “background-image-cropper.zip”) that contains a PHP-based Backdoor to execute remote commands and upload additional files. Attackers also deliver Fully-featured file Managers and Backdoors capable of creating rogue administrator accounts.
To Mitigate any potential threats, WordPress site owners using the theme should apply the latest updates, check for any suspicious admin users, and scan logs for the request “/wp-admin/admin-ajax.php?action=alone_import_pack_install_plugin.”
Source: TheHackerNews
Read more at Impreza News