WordPress Alone Theme Zero-Day Exploited in the Wild (CVE-2025-5394)
August 1st, 2025
Critical
Our Cyber Threat Intelligence Unit has been monitoring the active exploitation of a critical zero-day vulnerability, CVE-2025-5394, targeting WordPress sites that use the 'Alone – Charity Multipurpose Non-profit' theme. With a CVSS score of 9.8, this vulnerability allows unauthenticated attackers to upload arbitrary files and execute remote code, potentially leading to a complete site compromise. Initially identified by security researcher Thái An and reported by Wordfence, the flaw was patched in version 7.8.5 on June 16, 2025. Despite this update, exploitation began as early as July 12, before public disclosure. This indicates that attackers were likely monitoring upstream code changes to find and exploit hidden vulnerabilities.
Technical Details
CVE ID: CVE20255394
Vulnerability Type: Arbitrary File Upload → Remote Code Execution
CVSS v3.1 Score: 9.8 (Critical)
Affected Component: alone_import_pack_install_plugin() function
Affected Product: Alone – Charity Multipurpose Non-profit WordPress Theme
Affected Versions: All versions ≤ 7.8.3
Patched Version: 7.8.5
The vulnerable alone_import_pack_install_plugin() AJAX handler fails to enforce both capability and nonce checks. Registered through the wp_ajax_nopriv hook, the function is accessible to unauthenticated users, allowing them to initiate plugin installations via ZIP file uploads remotely. Successful exploitation can lead to arbitrary file uploads and remote code execution, creating a direct pathway for deploying web shells, backdoors, and escalating privileges, ultimately facilitating full administrative control.
Impact
Successful exploitation of CVE-2025-5394 leads to full administrative takeover of WordPress installations. Observed threat actor behaviors include:
Uploading malicious ZIP archives:
(e.g. wp-classic-editor.zip, background-image-cropper.zip).
Installing PHP-based backdoors and file managers.
Creating rogue administrator accounts.
Executing arbitrary remote commands.
Establishing persistent access for long-term control.
At least 120,900 exploitation attempts have been observed in the wild, as reported by Wordfence. This level of targeting indicates widespread automated exploitation and scanning infrastructure.
Detection Method
Security teams can detect exploitation attempts using the following techniques:
HTTP Log Indicators:
Request path: /wp-admin/admin-ajax.php?action=alone_import_pack_install_plugin
Request method: POST
Anomalous ZIP Uploads: Look for .zip uploads via this endpoint that do not correspond to known or expected plugins/themes.
WordPress Admin Audit:
Unauthorized Administrator Accounts: Review the user database for unexpected or recently created admin-level accounts.Unknown plugins or ZIP file residues in /wp-content/plugins/ or /tmp/
Suspicious Files or Plugins: Check the following directories for unknown ZIP files or plugin artifacts:
/wp-content/plugins/
/tmp/
Known Malicious Filenames: These artifacts are indicative of ongoing exploitation and may signal the presence of backdoors or persistent access by a threat actor.
wp-classic-editor.zip
background-image-cropper.zip
Indicators of Compromise
Type | Indicator |
IP Address | 193.84.71.244 |
IP Address | 87.120.92.24 |
IP Address | 146.19.213.18 |
IP Address | 185.159.158.108 |
IP Address | 188.215.235.94 |
IP Address | 146.70.10.25 |
IP Address | 74.118.126.111 |
IP Address | 62.133.47.18 |
IP Address | 198.145.157.102 |
IP Address | 2a0b:4141:820:752::2 |
ZIP Filename | wp-classic-editor.zip |
ZIP Filename | background-image-cropper.zip |
Recommendations
Organizations using the Alone WordPress theme should take the following actions immediately:
Update to version 7.8.5 or later to patch the vulnerability.
Check for unauthorized administrator accounts and audit admin roles.
Scan access logs for suspicious plugin installation attempts via admin-ajax.php.
Search for unfamiliar plugin ZIP files or suspicious files in upload directories.
Enable Web Application Firewall (WAF) rules to block known exploit patterns.
Block or monitor the listed IPs if observed in your network perimeter logs.
Conclusion
CVE-2025-5394 represents a high-risk, easily exploitable vulnerability in a widely used WordPress theme. The lack of authentication requirements, along with evidence of exploitation prior to public disclosure, significantly increases the risk for unpatched systems. Given the volume of observed attack activity and the availability of weaponized payloads in the wild, organizations must address this threat with urgency. We urge organizations to apply the available patch immediately, conduct comprehensive log and file audits, and review user access controls to identify and remediate any signs of compromise.