The vulnerability, tracked as CVE-2025-5394 with a maximum CVSS severity score of 9.8, allows unauthenticated attackers to achieve complete website takeovers through arbitrary file uploads.
The security flaw affects all versions of the Alone – Charity Multipurpose Non-profit WordPress theme up to version 7.8.3, which has garnered more than 9,000 sales on ThemeForest.
The vulnerability stems from a missing capability check in the theme’s alone_import_pack_install_plugin() function, enabling unauthenticated users to upload malicious ZIP files disguised as plugins from remote locations.
“This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover,” according to Wordfence’s threat intelligence team.
The flaw allows attackers to install plugins not only via slugs but also through remote sources, significantly expanding the attack surface.
The vulnerability was initially reported to Wordfence on May 30, 2025, through their bug bounty program, earning researcher Thái An a $501 bounty.
The vendor released the patched version 7.8.5 on June 16, 2025, followed by public disclosure on July 14, 2025.
Concerning trends emerged when attack data revealed that threat actors began actively exploiting the vulnerability on July 12, 2025 – two days before public disclosure.
“A clear indication that attackers are monitoring changesets and software for newly patched vulnerabilities,” security analysts noted.
Attackers have been deploying various types of malware through the vulnerability, including simple backdoors, file managers, and scripts that create malicious administrator accounts.
Analysis of attack attempts revealed that threat actors are hosting malicious ZIP files on domains such as cta.imasync[.]com, dari-slideshow[.]ru, and mc-cilinder[.]nl.
The most active attacking IP addresses include 193.84.71.244 with over 39,900 blocked requests and 87.120.92.24 with over 37,100 blocked attempts.
Security researchers recommend monitoring access logs for requests to /wp-admin/admin-ajax.php?action=alone_import_pack_install_plugin and reviewing plugin directories for suspicious installations.
Wordfence Premium, Care, and Response users received firewall protection on May 30, 2025, while free users received protection after a 30-day delay on June 29, 2025.
Website administrators using the Alone theme are urgently advised to update to version 7.8.5 immediately, as the vulnerability remains under active exploitation with thousands of sites potentially vulnerable.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post WordPress Theme RCE Flaw Actively Exploited to Seize Full Site Control appeared first on Cyber Security News.
A newly identified backdoor called A0Backdoor has emerged as part of a calculated social-engineering campaign…
Attackers can exploit insecure defaults and prompt injection vulnerabilities to turn normal agent behavior into…
A set of nine novel cross-tenant vulnerabilities in Google Looker Studio, collectively dubbed “LeakyLooker,” that…
Tennessee lawmakers decided in 2025 to move the vast majority of sports gambling revenue into…
The arrest of Nashville Noticias reporter Estefany Maria Rodríguez Florez on March 4 by ICE…
A combination of funding pressures have left many states struggling to figure out how to…
This website uses cookies.