Jul 31, 2025Ravie LakshmananVulnerability / Web site Safety
Menace actors are actively exploiting a important safety flaw in “Alone – Charity Multipurpose Non-profit WordPress Theme” to take over inclined websites.
The vulnerability, tracked as CVE-2025-5394, carries a CVSS rating of 9.8. Safety researcher Thái An has been credited with discovering and reporting the bug.
In line with Wordfence, the shortcoming pertains to an arbitrary file add affecting all variations of the plugin previous to and together with 7.8.3. It has been addressed in model 7.8.5 launched on June 16, 2025.
CVE-2025-5394 is rooted in a plugin set up operate named “alone_import_pack_install_plugin()” and stems from a lacking functionality verify, thereby permitting unauthenticated customers to deploy arbitrary plugins from distant sources by way of AJAX and obtain code execution.
“This vulnerability makes it doable for an unauthenticated attacker to add arbitrary information to a susceptible website and obtain distant code execution, which is usually leveraged for a whole website takeover,” Wordfence’s István Márton stated.
Proof exhibits that CVE-2025-5394 started to be exploited beginning July 12, two days earlier than the vulnerability was publicly disclosed. This means that the risk actors behind the marketing campaign could have been actively monitoring code modifications for any newly addressed vulnerabilities.
The corporate stated it has already blocked 120,900 exploit makes an attempt focusing on the flaw. The exercise has originated from the next IP addresses –
193.84.71.24487.120.92.24146.19.213.18185.159.158.108188.215.235.94146.70.10.2574.118.126.11162.133.47.18198.145.157.1022a0b:4141:820:752::2
Within the noticed assaults, the flaw is averaged to add a ZIP archive (“wp-classic-editor.zip” or “background-image-cropper.zip”) containing a PHP-based backdoor to execute distant instructions and add extra information. Additionally delivered are fully-featured file managers and backdoors able to creating rogue administrator accounts.
To mitigate any potential threats, WordPress website house owners utilizing the theme are suggested to use the newest updates, verify for any suspicious admin customers, and scan logs for the request “/wp-admin/admin-ajax.php?motion=alone_import_pack_install_plugin.”
