Hackers Actively Exploit Critical RCE in WordPress Alone Theme (CVE-2025-5394)

A newly disclosed flaw in the Alone – Charity Multipurpose Non-profit WordPress Theme (versions ≤ 7.8.3) enables unauthenticated attackers to deploy arbitrary plugin ZIP files-containing backdoors-and gain remote code execution. Exploitation began 12 July 2025, and Wordfence has already blocked over 120,900 exploit attempts, underscoring the urgency of immediate patching.

• 30 May 2025: Wordfence received a bug bounty submission reporting an unauthenticated arbitrary file upload via plugin installation vulnerability in Alone.
• 16 June 2025: Vendor released fixed Alone v7.8.5.
• 12 July 2025: Evidence indicates attackers began exploit attempts before public disclosure.
• 14 July 2025: Wordfence publicly disclosed CVE-2025-5394 and detailed active exploitation.

Vulnerability Technical Summary

• CVE-2025-5394 carries a CVSS score of 9.8 (Critical) due to unauthenticated upload and remote code execution capabilities.
• The root cause lies in the function alone_import_pack_install_plugin(), which lacks capability and nonce checks and is exposed via wp_ajax_nopriv, permitting unauthenticated users to install plugins—including remote ZIP sources—via AJAX.

Attack Activity & Impact

• Wordfence firewall logs show 120,900+ blocked exploit attempts, spanning from 12 July to 29 July 2025.
• Attacks originated from IPs including 193.84.71.244, 87.120.92.24, 146.19.213.18, and 2a0b:4141:820:752::2.
• Threat actors attempted to upload ZIP-based backdoors, hidden PHP file managers, and create rogue administrator accounts via malicious plugin install routines.

Expert Quotes

“This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files … and achieve remote code execution, which is typically leveraged for a complete site takeover,” Wordfence’s István Márton said.
“Threat actors … monitoring changelogs and patches to discover trivially exploitable issues before alerts are sent,” added Bill Toulas at BleepingComputer.

Global & MEA Relevance

Although not MEA‑specific, the Alone theme is frequently used by charities, NGOs, and non-profits across the Middle East and Africa. Those sites are globally exposed unless theme owners act. The lack of authorization control exemplifies widespread plugin/theme governance risks in non-profit ecosystems.

Mitigation Advice: Actionable Takeaways for Security Teams

1. Update Immediately to Alone v7.8.5 or later across all affected deployments.
2. Validate Firewall Protections—Wordfence users already received rules; ensure they are active and current.
3. Audit /wp-content/plugins/ and upgrade/ directories for unfamiliar plugin folders or files.
4. Review Access Logs for any requests to admin-ajax.php?action=alone_import_pack_install_plugin.
5. Block Malicious IPs like 193.84.71.244, 87.120.92.24, etc., at the firewall or CDN layer.
6. Scan Themes and Plugins using CLI tools or vulnerability-aware scanners for unauthorized installs.
7. Enable File-Integrity Monitoring to detect unexpected PHP files or admin account additions.
8. Backup and Prepare Incident Response Playbook if signs of compromise appear.
9. Educate Web Administrators on secure plugin/theme update policies and least-privilege configuration.
10. Maintain Awareness of newly patched WordPress themes and subscribe to security alerts/trends on cybercory.com for proactive defense.

Conclusion

CVE‑2025‑5394 is a textbook example of how missing authorization checks in WordPress themes can lead to full site takeover by remote attackers. With over 120,000 exploit attempts already recorded, organizations-especially those in MEA using the Alone theme-must patch to v7.8.5, verify mitigation layers, and audit logs promptly. In a world of rapid patch releases, vulnerability awareness and swift action are essential to maintaining trust and online presence.

Sources

• Wordfence blog: Attackers Actively Exploiting Critical Vulnerability in Alone Theme (published 29 July 2025)
• NVD/CVE details for CVE‑2025‑5394 (published 15 July 2025)
• Caveats from Vulmon / Tenable (published ~15 July 2025)
• BleepingComputer coverage: Hackers Exploit Critical WordPress Theme Flaw… (published 30 July 2025)