What is the critical vulnerability in WordPress Alone theme?

Threat actors are actively exploiting a critical unauthenticated arbitrary file upload vulnerability in the WordPress theme 'Alone' (CVE-2025-5394, CVSS score 9.8), enabling remote code execution and complete website takeover. The flaw is caused by a design weakness in the theme's plugin installation functionality that lacks proper authorization checks.

When did active exploitation of the Alone theme vulnerability begin?

Security researchers documented that attackers began exploiting this vulnerability on July 12, 2025, two days before the public disclosure of the flaw on July 14, 2025. This demonstrates that threat actors actively monitor software patches and changelogs to identify newly fixed security issues for exploitation.

How widespread are the attacks against the Alone theme vulnerability?

Wordfence security researchers have documented over 120,900 blocked exploitation attempts targeting this vulnerability since monitoring began. Attacks are primarily originating from specific IP addresses including 193.84.71.244 (nearly 40,000 blocked requests), 87.120.92.24 (37,100+ requests), and 146.19.213.18.

What malicious payloads are attackers using against the Alone theme?

Attackers are deploying malicious ZIP files with legitimate-sounding names such as 'wp-classic-editor.zip' and 'background-image-cropper.zip' to avoid detection. The malicious payloads include file managers that provide complete control over website databases, password-protected PHP backdoors enabling persistent remote command execution, and scripts that create hidden administrator accounts for long-term access.

Which versions of the Alone WordPress theme are vulnerable?

The vulnerability impacts all versions of the Alone WordPress theme up to and including version 7.8.3. Any website running these versions is susceptible to unauthenticated arbitrary file upload attacks that can lead to complete website compromise.

Is there a patch available for the Alone theme vulnerability?

Yes, the vendor Bearsthemes released a patched version 7.8.5 on June 16, 2025. This version addresses the critical security flaw and prevents unauthenticated attackers from exploiting the plugin installation functionality.

How can attackers achieve persistent access through this vulnerability?

Once exploited, attackers can deploy password-protected PHP backdoors that enable persistent remote command execution via HTTP requests, install file managers that provide complete control over website databases, and create hidden administrator accounts for long-term access to compromised websites, making detection and removal more difficult.

Why is the Alone theme vulnerability particularly dangerous?

The vulnerability is particularly dangerous because it requires no authentication to exploit, has a maximum CVSS score of 9.8 indicating critical severity, enables complete website takeover and remote code execution, allows installation of persistent backdoors, and is being actively exploited by threat actors with over 120,900 documented attack attempts.

What does this vulnerability reveal about WordPress theme security?

This vulnerability highlights critical issues in WordPress theme security, including the need for proper authorization checks in AJAX functions, the importance of nonce verification for security-sensitive operations, the risks of allowing unauthenticated access to plugin installation functionality, and the need for website administrators to promptly apply security updates to prevent exploitation.

Attack

Remote code execution vulnerability in WordPress Alone Theme is actively exploited

Q: How does the CVE-2025-5394 vulnerability work technically?

The vulnerability exists within the alone_import_pack_install_plugin() function that handles plugin installations during theme setup. The function lacks proper authorization checks and nonce verification mechanisms, making it accessible to any website visitor through the wp_ajax_nopriv_alone_import_pack_install_plugin AJAX action. This enables unauthenticated attackers to install malicious plugins from external servers by specifying plugin 'slug' and remote 'source' parameters.

published: July 30, 2025

Take action: If you're using the WordPress "Alone" theme, immediately update to version 7.8.5 or higher, since websites with this theme are actively attacked. If you can't update right away, temporarily disable the Alone theme until you can apply the patch.

Learn More

Threat actors are actively exploiting a critical unauthenticated arbitrary file upload vulnerability in the WordPress theme "Alone," enabling remote code execution and complete website takeover

The flaw is tracked as CVE-2025-5394 (CVSS score 9.8) - and is caused by a design weakness in the theme's plugin installation functionality, within the alone_import_pack_install_plugin() function that handles plugin installations during theme setup procedures.

The vulnerable function lacks proper authorization checks and nonce verification mechanisms, making it accessible to any website visitor through the wp_ajax_nopriv_alone_import_pack_install_plugin AJAX action. This enables unauthenticated attackers to exploit the functionality by specifying both a plugin "slug" and a remote "source" parameter, allowing them to install malicious plugins from external servers without any authentication requirements.

Security researchers documented that attackers began exploiting this vulnerability on July 12, 2025, two days before the public disclosure of the flaw on July 14, 2025. This means that threat actors actively monitor software patches and changelogs to identify newly fixed security issues.

Wordfence security researchers have documented over 120,900 blocked exploitation attempts targeting this vulnerability since monitoring began, with attacks primarily originating from specific IP addresses including 193.84.71.244 (accounting for nearly 40,000 blocked requests), 87.120.92.24 (37,100+ requests), and 146.19.213.18,

Attackers are deploying malicious ZIP files with legitimate-sounding names such as "wp-classic-editor.zip" and "background-image-cropper.zip" to avoid detection by security monitoring systems. The malicious payloads include file managers that provide attackers with complete control over website databases, password-protected PHP backdoors enabling persistent remote command execution via HTTP requests, and scripts that create hidden administrator accounts for long-term access

The vulnerability impacts all versions of the Alone WordPress theme up to and including version 7.8.3.

The vendor, Bearsthemes, released a patched version 7.8.5 on June 16, 2025.

Website administrators must immediately update to Alone theme version 7.8.5 or later. Organizations unable to immediately implement the update should consider temporarily disabling the theme until the security patch can be applied.

Remote code execution vulnerability in WordPress Alone Theme is actively exploited

Read More
Palo Alto Networks reports another actively exploited firewall …
Atlassian Confluence vulnerability exploited in active hacks by …
CISA warns of exploited Linux kernel flaw
Active exploitation of critical SAP flaw CVE-2017-12637 reported …
CISA warns of actively exploited NextGen Healthcare Mirth …