Warning: A critical vulnerability in the Alone-Charity Multipurpose Non-profit WordPress Theme is currently being actively exploited. Patch Immediately!

Image
Decorative image
Gepubliceerd : 31/07/2025

    * Last update:  31/07/2025
   
    * Affected software:: Alone – Charity Multipurpose Non-profit WordPress Theme prior to version 7.8.5
 
    * Type: Missing authorisation can lead to remote code execution
 
    * CVE/CVSS
        → CVE-2025-5394: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

 

Sources

Risks

In July 2025, Wordfence published a fix for CVE-2025-5394. CVE-2025-5394 affects a WordPress theme entitled Alone – Charity Multipurpose Non-profit WordPress Theme.

Alone – Charity Multipurpose Non-profit WordPress Theme is a WordPress theme commonly used in the non-profit sector. Over 9.000 organisations use this Theme.

CVE-2025-5394 allows unauthenticated attackers to upload arbitrary files to a vulnerable site and execute remote code. As a result, attackers could achieve a complete site takeover. Exploitation can significantly impact confidentiality, integrity, and availability.

CVE-2025-5394 has been actively exploited since at least 12 July 2025. Since then, Wordfence has detected over 120.900 exploitation attempts.

Description

CVE-2025-5394 is an arbitrary file upload vulnerability caused by missing capability checks on the alone_import_pack_install_plugin() function in all versions of Alone – Charity Multipurpose Non-profit WordPress Theme up to, and including, 7.8.3. CVE-2025-5394 enables unauthenticated attackers to invoke the AJAX action, allowing them to upload zip files containing web shells disguised as plugins from remote locations, thereby achieving remote code execution.

Recommended Actions

 Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect 
  
The CCB recommends organisations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

Wordfence published a series of indicators of compromise that they observed carrying out exploitation attempts. Consult these indicators at https://www.wordfence.com/blog/2025/07/attackers-actively-exploiting-critical-vulnerability-in-alone-theme/

Wordfence recommendations include:

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise. If some of these indicators are found in your systems, it is recommended that you check for and remove signs of compromise. Including, for instance, malicious plugins, backdoors, web shells, suspicious administrator accounts, unrecognised files.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident

References

 
https://thehackernews.com/2025/07/hackers-exploit-critical-wordpress.html