CVE-2025-5394

Published Jul 15, 2025

Last updated 2 months ago

CVSS critical 9.8
WordPress

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-5394 is a vulnerability affecting the Alone – Charity Multipurpose Non-profit WordPress Theme for WordPress. It exists due to a missing capability check in the `alone_import_pack_install_plugin()` function in versions up to and including 7.8.3. This allows unauthenticated attackers to upload arbitrary files, including zip files containing webshells disguised as plugins, from remote locations. Successful exploitation of this vulnerability can lead to remote code execution, potentially giving attackers complete control over the affected website. It has been observed that attackers are exploiting this vulnerability to upload ZIP archives containing PHP-based backdoors, enabling them to execute remote commands, upload additional files, and create rogue administrator accounts.

Description
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.
Source
security@wordfence.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@wordfence.com
CWE-862

Social media

Hype score
Not currently trending

  1. #VulnerabilityReport #AloneTheme Critical RCE Flaw (CVE-2025-5394) in “Alone” WordPress Theme Actively Exploited, Allowing Full Site Takeover https://t.co/Rf8Ma72WFb

    @Komodosec

    4 Sept 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 CVE-2025-5394 - critical 🚨 Unauthenticated Arbitrary Plugin Upload in Alone Theme > The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vu... 👾 https://t.co/pqfRmImx7k @pdnuclei #NucleiTemplates #cve

    @pdnuclei_bot

    20 Aug 2025

    36 Impressions

    1 Retweet

    1 Like

    2 Bookmarks

    0 Replies

    0 Quotes

  3. WordPress テーマ Alone の深刻な脆弱性 CVE-2025-5394 が FIX:RCE によるサイト乗っ取りの可能性 https://t.co/56fQu4KgQL @iototsecnewsより

    @TrustBrainJP

    14 Aug 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨CVE Alert: Alone – Charity WordPress Theme Missing Authorization Flaw Enables Unauthenticated File Upload Vulnerability Exploited in the Wild🚨 Vulnerability Details: CVE-2025-5394(CVSS 9.8/10) Alone – Charity WordPress Theme Missing Authorization Flaw Enables https:

    @CyberxtronTech

    5 Aug 2025

    71 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 🟠Una #vulnerabilidad identificada como CVE-2025-5394, en el tema «Alone – Charity Multipurpose Non-profit WordPress Theme» está siendo activamente explotada por ciberdelincuentes. #QintegraNews #ciberseguridad @unaaldia https://t.co/qcbCWryHUV

    @QintegraC

    4 Aug 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Nueva vulnerabilidad en WordPress posibilita a los atacantes tomar el control de sus webs. La vulnerabilidad fue conocida como CVE-2025-5394 la cual permite la instalación de complementos sin los permisos requeridos. https://t.co/BZO4YbfoiK

    @TecnoCuba23

    4 Aug 2025

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  7. 🚨 Critical WordPress Vulnerability Discovered! The Alone Theme (<= 7.8.3) is vulnerable to Unauthenticated Arbitrary Plugin Upload 🛑 CVE: CVE-2025-5394 📊 CVSS: 9.8 (Critical) 🚀 Exploit POC: https://t.co/zjj9GIG839 #WordPress #Exploit #CVE #RCE #CyberSecurity #Bug

    @Nxploited

    2 Aug 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. A critical RCE flaw (CVE-2025-5394, CVSS 9.8) in the Alone WordPress theme allows unauthenticated attackers to upload arbitrary files and gain full site control. Exploitation is confirmed in the wild. https://t.co/TYdUMJ3gQu

    @the_yellow_fall

    2 Aug 2025

    307 Impressions

    0 Retweets

    2 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  9. 🚨 ALERT: Critical WordPress theme flaw (CVE-2025-5394) exploited to hijack nonprofit sites via remote plugin installs. 📌 Update Alone Theme to v7.8.5 ASAP! 🛡️ Full details: https://t.co/J4kgYzJyEm #WordPress #CyberSecurity #CVE20255394 #Canada #CanadaCyberAwareness

    @FindSecCyber

    2 Aug 2025

    55 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. Hackers actively exploit critical RCE in WordPress Alone theme. The vulnerability, tracked under CVE-2025-5394, impacts all versions of Alone up to 7.8.3. Alone is a premium theme with nearly 10,000 sales on the Envato market. https://t.co/Knk8JDH7Ev https://t.co/DoJKZqlVEM

    @riskigy

    1 Aug 2025

    37 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Threat actors are exploiting a zero-day vulnerability (CVE-2025-5394) in the Alone WordPress theme to upload malicious files and potentially take over websites. Over 120,900 attempts since July 14. #WordPress #SecurityAlert #UK https://t.co/NZE58rnZM6

    @TweetThreatNews

    1 Aug 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. Cloudflare's security analysts are actively monitoring CVE-2025-5394. In this vulnerability exploit, an attacker can upload a .zip file—automatically extracted server-side—into the wp-content/plugins/ directory. This archive contains a malicious .php file (e.g., a webshell).

    @Cloudflare

    1 Aug 2025

    22403 Impressions

    42 Retweets

    224 Likes

    48 Bookmarks

    7 Replies

    4 Quotes

  13. 🚨 Alerta de Seguridad Crítica en WordPress: se está explotando activamente la vulnerabilidad CVE-2025-5394 en un theme popular de #WordPress, permitiendo posibles ejecuciones remotas de código (RCE) o inyección de malware: https://t.co/FEnL7Efq2P #Ciberseguridad #WP #CVE

    @henryraul

    1 Aug 2025

    283 Impressions

    14 Retweets

    13 Likes

    1 Bookmark

    2 Replies

    0 Quotes

  14. ⚠️Vulnerabilidad en Alone de WordPress ❗CVE-2025-5394 ➡️Más info: https://t.co/ntsaVeGlp9 https://t.co/UotGk1W3Fg

    @CERTpy

    1 Aug 2025

    94 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. ⚠️ Weekly vuln radar — https://t.co/Cd6L8ACyLV: CVE-2025-53770 — Sharepoint Server 📈⬆️ CVE-2025-32433 (@lambdafu) CVE-2025-25257 (@0x_shaq) CVE-2025-49113 (@k_firsov) CVE-2025-6558 (@_clem1) CVE-2025-30406 CVE-2025-54309 CVE-2025-23266 (@nirohfeld @shirtamari) CVE

    @ptdbugs

    1 Aug 2025

    160 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  16. WordPressテーマの脆弱性CVE-2025-5394によるサイト乗っ取りの危険性 https://t.co/gI9CSR2FnT #Security #セキュリティ #ニュース

    @SecureShield_

    31 Jul 2025

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. به تازگی آسیب پذیری جدیدی با کد شناسایی CVE-2025-5394 برای یکی از تم های Wordpress با نام Alone منتشر شده است که به هکرها امکان اجرای RCE را می دهد.برای پیشگیری و مقابله به

    @AmirHossein_sec

    31 Jul 2025

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. WordPress Alone theme (CVE-2025-5394) is yet another zero-day—popularity = hacker bait. Time to ditch WP for a new CMS or at least update now: https://t.co/Bhw72KDjDM #WordPressWoes

    @FrankMarano_

    31 Jul 2025

    8 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  19. [Security Affairs] Attackers actively exploit critical zero-day in Alone WordPress Theme. Hackers exploit a critical vulnerability, tracked as CVE-2025-5394 (CVSS score of 9.8), in the Alone WordPress theme to hijack sites. Threat actors are actively... https://t.co/z4m5D2y1qY

    @shah_sheikh

    31 Jul 2025

    99 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. هکرها به‌طور فعال از آسیب‌پذیری بحرانی در قالب وردپرس "Alone – Charity Multipurpose Non-profit WordPress Theme" برای هک وب‌سایت‌های آسیب‌پذیر سوءاستفاده می‌کنند. این آسیب‌پ

    @Teeegra

    31 Jul 2025

    490 Impressions

    0 Retweets

    18 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  21. Hackers actively exploit critical RCE in WordPress Alone theme Threat actors are exploiting CVE-2025-5394, a critical unauthenticated file upload vulnerability in the WordPress theme Alone, allowing remote code execution and full site takeovers. The flaw, affecting all versions

    @dCypherIO

    31 Jul 2025

    47 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  22. 🚨 Critical WordPress flaw (CVE-2025-5394) lets hackers hijack sites via the "Alone" theme! 😱 🔒 With WEBOUNCER by https://t.co/3ZPWK35LoY, your WordPress site is safe from arbitrary file uploads & remote code execution. 🛡️ Stay secure! 🌐 #WordPressSecurity #ha

    @WEBOUNCER_

    31 Jul 2025

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    1 Quote

  23. Hackers are exploiting CVE-2025-5394 in the "Alone – Charity" WordPress theme to remotely upload PHP backdoors via plugin installation. Over 120,900 sites vulnerable since July 2025. #WordPress #Vulnerability #Australia https://t.co/jvzYhDj5WS

    @TweetThreatNews

    31 Jul 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. 📌 المخترقون يستغلون ثغرة أمنية خطيرة في "Alone – Charity Multipurpose Non-profit WordPress Theme" للسيطرة على المواقع الضعيفة. الثغرة، المسجلة تحت CVE-2025-5394، تحمل درجة CVSS تبلغ 9.8. ا

    @Cybercachear

    31 Jul 2025

    29 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. 【WordPressテーマAloneの脆弱性を攻撃者が悪用】この任意のファイルアップロードによるRCEの脆弱性(CVE-2025-5394)により、サイトが乗っ取られる可能性があるとのこと。バージョン7.8.5で修正済みであるため、アッ

    @MachinaRecord

    31 Jul 2025

    60 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  26. WordPressテーマAloneの重大なRCE脆弱性を悪用する攻撃者の動向(CVE-2025-5394) https://t.co/67HT85XyF3 #Security #セキュリティ #ニュース

    @SecureShield_

    30 Jul 2025

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. WordPressテーマ「Alone」に重大な脆弱性(CVE-2025-5394)が発見され、認証なしで任意のコードをリモート実行される恐れがある。 このテーマは非営利団体向けで、ThemeForestで9,000件以上販売されている。 問題は、a

    @yousukezan

    30 Jul 2025

    1126 Impressions

    3 Retweets

    7 Likes

    2 Bookmarks

    0 Replies

    2 Quotes

  28. 🚨 Over 120,000 Hacking Attempts: Alone WordPress Theme Under Siege by Critical #CVE-2025-5394 Vulnerability https://t.co/KGv7svWmIm

    @UndercodeNews

    30 Jul 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. CVE-2025-5394 (CVSS:9.8, CRITICAL) is Awaiting Analysis. The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads ..https://t.co/VkDD34eXqb #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre

    @cracbot

    20 Jul 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. [CVE-2025-5394: CRITICAL] Alone – Charity WordPress Theme allows unauthenticated attackers to upload malicious files, leading to remote code execution. Update to version 7.8.4 to fix this vulnerability.#cve,CVE-2025-5394,#cybersecurity https://t.co/IZ7X4TX6CL https://t.co/VTdd2

    @CveFindCom

    15 Jul 2025

    48 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.