Initiatieven voor
Als nationale autoriteit voor cyberveiligheid heeft het CCB verschillende initiatieven ontwikkeld voor specifieke doelgroepen die hier worden gepresenteerd.
Warning: A critical vulnerability in the Alone-Charity Multipurpose Non-profit WordPress Theme is currently being actively exploited. Patch Immediately!
Image
Gepubliceerd : 31/07/2025
* Last update: 31/07/2025
* Affected software:: Alone – Charity Multipurpose Non-profit WordPress Theme prior to version 7.8.5
* Type: Missing authorisation can lead to remote code execution
* CVE/CVSS
→ CVE-2025-5394: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/alone/alone-charity-multipurpose-non-profit-wordpress-theme-783-missing-authorization-to-unauthenticated-arbitrary-file-upload-via-plugin-installation
- https://www.wordfence.com/blog/2025/07/attackers-actively-exploiting-critical-vulnerability-in-alone-theme/
Risks
In July 2025, Wordfence published a fix for CVE-2025-5394. CVE-2025-5394 affects a WordPress theme entitled Alone – Charity Multipurpose Non-profit WordPress Theme.
Alone – Charity Multipurpose Non-profit WordPress Theme is a WordPress theme commonly used in the non-profit sector. Over 9.000 organisations use this Theme.
CVE-2025-5394 allows unauthenticated attackers to upload arbitrary files to a vulnerable site and execute remote code. As a result, attackers could achieve a complete site takeover. Exploitation can significantly impact confidentiality, integrity, and availability.
CVE-2025-5394 has been actively exploited since at least 12 July 2025. Since then, Wordfence has detected over 120.900 exploitation attempts.
Description
CVE-2025-5394 is an arbitrary file upload vulnerability caused by missing capability checks on the alone_import_pack_install_plugin() function in all versions of Alone – Charity Multipurpose Non-profit WordPress Theme up to, and including, 7.8.3. CVE-2025-5394 enables unauthenticated attackers to invoke the AJAX action, allowing them to upload zip files containing web shells disguised as plugins from remote locations, thereby achieving remote code execution.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organisations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
Wordfence published a series of indicators of compromise that they observed carrying out exploitation attempts. Consult these indicators at https://www.wordfence.com/blog/2025/07/attackers-actively-exploiting-critical-vulnerability-in-alone-theme/
Wordfence recommendations include:
- Pay special attention to unknown plugins installed on your WordPress instances
- Look for the following malicious request in your website’s access log: /wp-admin/admin-ajax.php?action=alone_import_pack_install_plugin
- Review log files for any requests originating from IP or domain mentioned in this article: https://www.wordfence.com/blog/2025/07/attackers-actively-exploiting-critical-vulnerability-in-alone-theme/
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise. If some of these indicators are found in your systems, it is recommended that you check for and remove signs of compromise. Including, for instance, malicious plugins, backdoors, web shells, suspicious administrator accounts, unrecognised files.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident
References
https://thehackernews.com/2025/07/hackers-exploit-critical-wordpress.html