Threat actors are actively exploiting a critical security flaw in “Alone – Charity Multipurpose Non-profit WordPress Theme” to take over susceptible sites.
The vulnerability, tracked as CVE-2025-5394, carries a CVSS score of 9.8. Security researcher Thái An has been credited with discovering and reporting the bug.
According to Wordfence, the shortcoming relates to an arbitrary file upload affecting all versions of the plugin prior to and including 7.8.3. It has been addressed in version 7.8.5 released on June 16, 2025.
CVE-2025-5394 is rooted in a plugin installation function named “alone_import_pack_install_plugin()” and stems from a missing capability check, thereby allowing unauthenticated users to deploy arbitrary plugins from remote sources via AJAX and achieve code execution.
“This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover,” Wordfence’s István Márton said.
Evidence shows that CVE-2025-5394 began to be exploited starting July 12, two days before the vulnerability was publicly disclosed. This indicates that the threat actors behind the campaign may have been actively monitoring code changes for any newly addressed vulnerabilities.
The company said it has already blocked 120,900 exploit attempts targeting the flaw. The activity has originated from the following IP addresses –
- 193.84.71.244
- 87.120.92.24
- 146.19.213.18
- 185.159.158.108
- 188.215.235.94
- 146.70.10.25
- 74.118.126.111
- 62.133.47.18
- 198.145.157.102
- 2a0b:4141:820:752::2
In the observed attacks, the flaw is averaged to upload a ZIP archive (“wp-classic-editor.zip” or “background-image-cropper.zip”) containing a PHP-based backdoor to execute remote commands and upload additional files. Also delivered are fully-featured file managers and backdoors capable of creating rogue administrator accounts.
To mitigate any potential threats, WordPress site owners using the theme are advised to apply the latest updates, check for any suspicious admin users, and scan logs for the request “/wp-admin/admin-ajax.php?action=alone_import_pack_install_plugin.”
