Arbitrary File Upload Vulnerability in Alone Charity Theme for WordPress
CVE-2025-5394
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 15 July 2025
Badges
What is CVE-2025-5394?
CVE-2025-5394 is a significant vulnerability affecting the Alone Charity Multipurpose Non-profit WordPress Theme, designed for creating and managing charity-related websites. This vulnerability arises due to inadequate capability checks within the alone_import_pack_install_plugin() function, present in all versions of the theme up to and including 7.8.3. As a result, unauthenticated attackers can exploit this flaw to upload malicious zip files containing webshells disguised as plugins, leading to remote code execution on the server. This could seriously compromise the confidentiality, integrity, and availability of the affected organization's web assets, allowing attackers to gain unauthorized access and potentially control over sensitive data and functionalities.
Potential impact of CVE-2025-5394
-
Remote Code Execution: The vulnerability enables attackers to run arbitrary code on the server, which could lead to full system compromise, allowing them to manipulate website content, exfiltrate sensitive information, or deploy further malicious payloads.
-
Data Breaches: By exploiting this vulnerability, unauthorized users may gain access to sensitive data stored within the website, including donor information, financial records, and other confidential content, leading to significant privacy violations and potential legal ramifications.
-
Website Defacement and Downtime: Successful exploitation could result in website defacement or complete site shutdown. This not only damages the organization’s reputation but also disrupts service availability to users, impacting fundraising and community engagement efforts critical to non-profit operations.
Affected Version(s)
Alone – Charity Multipurpose Non-profit WordPress Theme * <= 7.8.3
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Cyber Security Agency of SingaporeCVE-2025-5394Critical Vulnerability in WordPress Theme
Bearsthemes has released a patch addressing a critical vulnerability in a WordPress Theme, Alone. Users and administrators of affected products are advised...
3 weeks ago
CTIX FLASH Update - August 1, 2025
The financially motivated threat group UNC2891, also known as LightBasin, launched a covert hybrid attack on a bank’s ATM infrastructure by…
1 month ago
Security AffairsCVE-2025-5394Attackers actively exploit critical zero-day in Alone WordPress Theme
Hackers exploit a critical vulnerability, tracked as CVE-2025-5394 (CVSS score of 9.8), in the 'Alone WordPress theme to hijack sites.
1 month ago
References
EPSS Score
21% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🥇
Vulnerability reached the number 1 worldwide trending spot
- 📈
Vulnerability started trending
- 🟡
Public PoC available
- 👾
Exploit known to exist
- 💰
Used in Ransomware
- 📰
First article discovered by GBHackers News
Vulnerability published
Vulnerability Reserved