Summary
CVE-2025-5394 is a critical flaw in the Alone – Charity Multipurpose Non-profit WordPress Theme (≤ 7.8.3) due to a missing capability check in alone_import_pack_install_plugin(), allowing unauthenticated attackers to upload ZIP files with webshells or backdoored plugins for remote code execution. Exploitation began before public disclosure, with over 120,900 attempts blocked by Wordfence, involving backdoors, PHP file managers, and hidden admin accounts. Malicious activity has been linked to IPs like 193.84.71.244 and domains such as cta.imasync[.]com. Version 7.8.5 fixes the issue; admins should update immediately, audit plugin directories, review logs, and remove unauthorized files.
Urgent Actions Required
- Update the Alone – Charity Multipurpose Non-profit WordPress Theme to version 7.8.5 or later immediately.
- Review and remove any unauthorized files in /wp-content/plugins/ and /wp-content/upgrade/.
- Monitor server logs for requests to admin-ajax.php?action=alone_import_pack_install_plugin from external sources.
- Block malicious IPs such as 193.84.71.244, 87.120.92.24, and 146.19.213.18 at the firewall or CDN.
Which Systems Are Vulnerable to CVE-2025-5394?
Technical Overview
- Vulnerability Type: Unauthenticated Arbitrary File Upload via Plugin Installation
- Affected Software/Versions:
Alone – Charity Multipurpose Non-profit WordPress Theme ≤ 7.8.3 - Attack Vector: Network (HTTP/HTTPS via AJAX)
- CVSS Score: 9.8
- CVSS Vector: CVSS:3.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
- Patch Availability: Yes, update to Alone v7.8.5 or later[2]
How Does the CVE-2025-5394 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2025-5394?
Vulnerability Root Cause:
This flaw exists in the alone_import_pack_install_plugin() function of the Alone WordPress theme (≤ 7.8.3). It has no capability or nonce checks and is exposed through an unauthenticated AJAX action. Attackers can upload malicious ZIP files, which the server runs without validation, leading to remote code execution and possible full site takeover.
How Can You Mitigate CVE-2025-5394?
If immediate patching is delayed or not possible:
- Block access to the AJAX endpoint admin-ajax.php?action=alone_import_pack_install_plugin at the firewall, CDN, or proxy.
- Monitor for suspicious requests targeting this endpoint.
- Audit /wp-content/plugins/ and /wp-content/upgrade/ for unknown or unauthorized files.
- Enable file-integrity monitoring to detect new PHP files or hidden admin accounts.
- Review server logs regularly for unusual activity related to plugin installations.
Which Assets and Systems Are at Risk?
Asset Types Affected:
- WordPress Websites – Sites using the Alone – Charity Multipurpose Non-profit WordPress Theme, versions ≤ 7.8.3.
- Plugin and Theme Directories – Especially /wp-content/plugins/ and /wp-content/upgrade/, where malicious ZIP files or webshells may be uploaded.
Business-Critical Systems at Risk:
- Non-profit and Charity Websites – Sites that manage donations, campaigns, and volunteer data.
- Admin Dashboards – Attackers can create hidden administrator accounts, potentially taking full control of the site.
- Data Management Pages – Sensitive donor or financial information may be exposed if exploited.
Exposure Level:
- Internet-facing WordPress Sites – All vulnerable Alone theme installations are remotely exploitable via unauthenticated AJAX requests.
- Sites with Unpatched Themes – Even low-traffic or internal-facing sites remain at risk if not updated to version 7.8.5 or later.
Will Patching CVE-2025-5394 Cause Downtime?
Patch application impact: Low. Updating the Alone theme to version 7.8.5 or later typically requires minimal downtime. Most sites just need the theme update; normal operations can continue during the process.
Mitigation (if immediate patching is not possible): Monitor uploads in plugin directories and restrict the vulnerable AJAX endpoint. These steps lower risk but don’t fully protect until patched.
How Can You Detect CVE-2025-5394 Exploitation?
Exploitation Signatures:
- Requests to /wp-admin/admin-ajax.php?action=alone_import_pack_install_plugin attempting plugin uploads.
- ZIP files containing webshells or backdoored plugins.
- Suspicious plugin filenames such as wp-classic-editor.zip or background-image-cropper.zip.
Indicators of Compromise (IOCs/IOAs):
- Unauthorized files in /wp-content/plugins/ or /wp-content/upgrade/.
- Hidden administrator accounts created via malicious plugin uploads.
- Backdoors like /accesson.php.
- Malicious traffic from IPs including 193.84.71.244, 87.120.92.24, 146.19.213.18.
- Connections to suspicious domains such as cta.imasync[.]com and wordpress.zzna[.]ru.
Behavioral Indicators:
- Plugins being installed without authenticated access.
- Persistent backdoors or hidden admin accounts appearing after uploads.
- Unexpected activity in plugin or upgrade directories.
Alerting Strategy:
- Priority: Critical.
- Trigger alerts for:
- Any plugin uploads from unauthenticated sources.
- Unexpected creation of admin accounts.
- Presence of webshells or backdoor files in monitored directories.
Remediation & Response
Patch/Upgrade Instructions:
Mitigation Steps if No Patch:
- Delete unauthorized plugin ZIPs from /wp-content/plugins/ and /wp-content/upgrade/
- Block access to the vulnerable AJAX action with firewall or WAF rules
- Watch server logs for suspicious requests
- Block traffic from malicious IPs: 193.84.71.244, 87.120.92.24, 146.19.213.18
Incident Response Considerations:
- Isolate affected WordPress instances to prevent further exploitation.
- Review logs for evidence of unauthorized plugin uploads or hidden administrator accounts.
- Scan for webshells or backdoors, especially in /wp-content/plugins/ and /wp-content/upgrade/.
Where Can I Find More Information on CVE-2025-5394?
- ^The Alone – Charity Multipurpose Non-profit WordPress… · CVE-2025-5394 · GitHub Advisory Database · GitHub
- ^Alone – Charity Multipurpose Non-profit WordPress Theme by Bearsthemes
- ^Alone – Charity Multipurpose Non-profit WordPress Theme <= 7.8.3 - missing authorization to unauthenticated arbitrary file upload via plugin installation
- ^CVE-2025-5394 : Arbitrary File Upload Vulnerability in Alone Charity Theme for WordPress
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 9.8 | Critical severity due to potential full site compromise and remote code execution |
| Attack Vector | Network | Exploitable remotely via HTTP requests to admin-ajax.php without local access |
| Attack Complexity | Low | Straightforward exploitation; no special conditions required |
| Privileges Required | None | No authentication or elevated privileges needed to exploit |
| User Interaction | None | Exploit does not require user action |
| Scope | UnChanged | Impact limited to the vulnerable theme component |
| Confidentiality Impact | High | Successful exploitation can expose sensitive site data |
| Integrity Impact | High | Exploit allows unauthorized modification of files, plugin installation, and admin account creation |
| Availability Impact | High | Exploit can disrupt site operations or cause full site compromise |
