Active Exploitation of CVE-2025-5394 in Alone WordPress Theme

Description

A critical arbitrary file-upload vulnerability (CVE-2025-5394) in the Alone - Charity Multipurpose Non-profit WordPress theme versions 7.8.3 and earlier is being actively exploited. The flaw, with a CVSS score of 9.8, allows unauthenticated attackers to upload malicious ZIP archives containing PHP backdoors, resulting in remote code execution and full site takeover. The vulnerability stems from a missing authorization check in the alone_import_pack_install_plugin() AJAX handler. Attackers can exploit this to upload web shells, execute commands, deploy file managers, and create rogue admin accounts. Several IP addresses have been identified as sources of attacks. Website owners are urged to update to version 7.8.5 or later, verify site integrity, strengthen access controls, and enhance detection and monitoring measures.