Analysis Summary

A critical Remote Code Execution (RCE) vulnerability tracked as CVE-2025-5394 has been discovered in the Alone WordPress theme, a widely used template among non-profits and charity organizations. With a CVSS score of high, the flaw impacts versions 7.8.3 and below, putting over 9,000 websites at immediate risk. The vulnerability is currently being actively exploited in the wild, with more than 120,900 malicious attempts recorded since July 12th, 2025, prior to the public disclosure of the flaw. Attackers are exploiting this flaw to gain full control over vulnerable sites, install backdoors, and deploy webshells.

According to the Researcher, the vulnerability stems from a missing capability check in the function alone_import_pack_install_plugin() within the theme’s setup process. This function improperly processes unauthenticated AJAX requests via the endpoint /wp-admin/admin-ajax.php?action=alone_import_pack_install_plugin, allowing attackers to upload arbitrary plugins from remote sources. The parameter plugin_source is particularly dangerous, as it enables threat actors to bypass security controls and inject malicious content disguised as plugins. This flaw is extremely dangerous due to its unauthenticated nature, making exploitation simple and scalable for attackers.

Real-world exploitation has been aggressive and organized. Malicious zip files such as wp-classic-editor.zip and background-image-cropper.zip have been used to distribute obfuscated malware and backdoors. Prominent attacker IPs include 193.84.71.244 and 87.120.92.24, which together account for over 77,000 exploit requests. Domains like cta.imasync[.]com and dari-slideshow[.]ru are among the sources delivering exploit payloads. The Wordfence team has been actively monitoring the situation and rolled out firewall protection rules for premium users on May 30th, and free users on June 29th, 2025.

To mitigate the threat, administrators must immediately update the Alone theme to version 7.8.5 or later, which addresses the vulnerability. Security teams are advised to inspect the /wp-content/plugins/ and /wp-content/upgrade/ directories for suspicious installations and review access logs for exploit signatures. This incident underlines the growing trend of attackers monitoring patch releases to reverse-engineer exploits, emphasizing the need for timely updates and continuous monitoring of web assets for indicators of compromise.

Impact

• Code Execution
• Gain Access
• Security Bypass

Indicators of Compromise

Affected Vendors

• WordPress

Affected Products

• WordPress Alone – Charity Multipurpose Non-profit WordPress Theme 7.8.5

Remediation

• Upgrade to the latest version, available from the WordPress Plugin Directory.
• Inspect the /wp-content/plugins/ and /wp-content/upgrade/ directories for unauthorized or suspicious plugin files.
• Review access logs for requests to /wp-admin/admin-ajax.php?action=alone_import_pack_install_plugin to detect exploitation attempts.
• Delete any unknown plugin zip files such as wp-classic-editor.zip or background-image-cropper.zip.
• Block or monitor traffic from known malicious IPs like 193.84.71.244 and 87.120.92.24.
• Blacklist malicious domains such as cta.imasync[.]com and dari-slideshow[.]ru at the network or firewall level.
• Install or update web application firewalls (WAF) like Wordfence, ensuring protection rules are up to date.
• Enable strict file upload policies and limit plugin installation permissions to trusted administrators only.
• Perform a full malware scan using reputable WordPress security plugins to identify any embedded backdoors.
• Regularly back up your site to ensure a clean recovery point in case of compromise.