Security researchers have identified active exploitation of a critical vulnerability in the popular Alone WordPress theme, with over 120,900 attack attempts blocked since the flaw was patched.
The vulnerability, tracked as CVE-2025-5394 with a maximum CVSS severity score of 9.8, allows unauthenticated attackers to achieve complete website takeovers through arbitrary file uploads.
Vulnerability Details and Impact
The security flaw affects all versions of the Alone – Charity Multipurpose Non-profit WordPress theme up to version 7.8.3, which has garnered more than 9,000 sales on ThemeForest.
The vulnerability stems from a missing capability check in the theme’s alone_import_pack_install_plugin() function, enabling unauthenticated users to upload malicious ZIP files disguised as plugins from remote locations.
“This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover,” according to Wordfence’s threat intelligence team.
The flaw allows attackers to install plugins not only via slugs but also through remote sources, significantly expanding the attack surface.
Timeline and Exploitation Activity
The vulnerability was initially reported to Wordfence on May 30, 2025, through their bug bounty program, earning researcher Thái An a $501 bounty.
The vendor released the patched version 7.8.5 on June 16, 2025, followed by public disclosure on July 14, 2025.
Concerning trends emerged when attack data revealed that threat actors began actively exploiting the vulnerability on July 12, 2025 – two days before public disclosure.
“A clear indication that attackers are monitoring changesets and software for newly patched vulnerabilities,” security analysts noted.
Malware Analysis and Attack Infrastructure
Attackers have been deploying various types of malware through the vulnerability, including simple backdoors, file managers, and scripts that create malicious administrator accounts.
Analysis of attack attempts revealed that threat actors are hosting malicious ZIP files on domains such as cta.imasync[.]com, dari-slideshow[.]ru, and mc-cilinder[.]nl.
The most active attacking IP addresses include 193.84.71.244 with over 39,900 blocked requests and 87.120.92.24 with over 37,100 blocked attempts.
Security researchers recommend monitoring access logs for requests to /wp-admin/admin-ajax.php?action=alone_import_pack_install_plugin and reviewing plugin directories for suspicious installations.
Protection and Recommendations
Wordfence Premium, Care, and Response users received firewall protection on May 30, 2025, while free users received protection after a 30-day delay on June 29, 2025.
Website administrators using the Alone theme are urgently advised to update to version 7.8.5 immediately, as the vulnerability remains under active exploitation with thousands of sites potentially vulnerable.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The vulnerability, tracked as CVE-2025-5394 with a maximum CVSS severity score of 9.8, allows unauthenticated attackers to achieve complete website takeovers through arbitrary file uploads.){kind=link}