Arbitrary File Upload Vulnerability in Alone Charity Theme for WordPress
CVE-2025-5394

9.8CRITICAL

Key Information:

Vendor

WordPress

Vendor
CVE Published:
15 July 2025

Badges

🔥 Trending now🥇 Trended No. 1📈 Trended📈 Score: 2,660💰 Ransomware👾 Exploit Exists🟡 Public PoC📰 News Worthy

What is CVE-2025-5394?

CVE-2025-5394 is a significant vulnerability affecting the Alone Charity Multipurpose Non-profit WordPress Theme, designed for creating and managing charity-related websites. This vulnerability arises due to inadequate capability checks within the alone_import_pack_install_plugin() function, present in all versions of the theme up to and including 7.8.3. As a result, unauthenticated attackers can exploit this flaw to upload malicious zip files containing webshells disguised as plugins, leading to remote code execution on the server. This could seriously compromise the confidentiality, integrity, and availability of the affected organization's web assets, allowing attackers to gain unauthorized access and potentially control over sensitive data and functionalities.

Potential impact of CVE-2025-5394

  1. Remote Code Execution: The vulnerability enables attackers to run arbitrary code on the server, which could lead to full system compromise, allowing them to manipulate website content, exfiltrate sensitive information, or deploy further malicious payloads.

  2. Data Breaches: By exploiting this vulnerability, unauthorized users may gain access to sensitive data stored within the website, including donor information, financial records, and other confidential content, leading to significant privacy violations and potential legal ramifications.

  3. Website Defacement and Downtime: Successful exploitation could result in website defacement or complete site shutdown. This not only damages the organization’s reputation but also disrupts service availability to users, impacting fundraising and community engagement efforts critical to non-profit operations.

Affected Version(s)

Alone – Charity Multipurpose Non-profit WordPress Theme * <= 7.8.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

News Articles

CTIX FLASH Update - August 1, 2025

The financially motivated threat group UNC2891, also known as LightBasin, launched a covert hybrid attack on a bank’s ATM infrastructure by…

1 week ago

Attackers actively exploit critical zero-day in Alone WordPress Theme

Hackers exploit a critical vulnerability, tracked as CVE-2025-5394 (CVSS score of 9.8), in the 'Alone WordPress theme to hijack sites.

1 week ago

References

EPSS Score

9% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🥇

    Vulnerability reached the number 1 worldwide trending spot

  • 📈

    Vulnerability started trending

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • 💰

    Used in Ransomware

  • 📰

    First article discovered by GBHackers News

  • Vulnerability published

  • Vulnerability Reserved

Credit

Thái An
.
CVE-2025-5394 : Arbitrary File Upload Vulnerability in Alone Charity Theme for WordPress