Menace actors are actively exploiting a important safety flaw in “Alone – Charity Multipurpose Non-profit WordPress Theme” to take over inclined websites.
The vulnerability, tracked as CVE-2025-5394, carries a CVSS rating of 9.8. Safety researcher Thái An has been credited with discovering and reporting the bug.
Based on Wordfence, the shortcoming pertains to an arbitrary file add affecting all variations of the plugin previous to and together with 7.8.3. It has been addressed in model 7.8.5 launched on June 16, 2025.
CVE-2025-5394 is rooted in a plugin set up operate named “alone_import_pack_install_plugin()” and stems from a lacking functionality verify, thereby permitting unauthenticated customers to deploy arbitrary plugins from distant sources through AJAX and obtain code execution.
“This vulnerability makes it potential for an unauthenticated attacker to add arbitrary recordsdata to a susceptible web site and obtain distant code execution, which is usually leveraged for a whole web site takeover,” Wordfence’s István Márton stated.
Proof reveals that CVE-2025-5394 started to be exploited beginning July 12, two days earlier than the vulnerability was publicly disclosed. This means that the menace actors behind the marketing campaign could have been actively monitoring code adjustments for any newly addressed vulnerabilities.
The corporate stated it has already blocked 120,900 exploit makes an attempt focusing on the flaw. The exercise has originated from the next IP addresses –
- 193.84.71.244
- 87.120.92.24
- 146.19.213.18
- 185.159.158.108
- 188.215.235.94
- 146.70.10.25
- 74.118.126.111
- 62.133.47.18
- 198.145.157.102
- 2a0b:4141:820:752::2
Within the noticed assaults, the flaw is averaged to add a ZIP archive (“wp-classic-editor.zip” or “background-image-cropper.zip”) containing a PHP-based backdoor to execute distant instructions and add further recordsdata. Additionally delivered are fully-featured file managers and backdoors able to creating rogue administrator accounts.
To mitigate any potential threats, WordPress web site homeowners utilizing the theme are suggested to use the newest updates, verify for any suspicious admin customers, and scan logs for the request “/wp-admin/admin-ajax.php?motion=alone_import_pack_install_plugin.”
