Threat actors are actively exploiting a critical zero-day vulnerability in the “Alone – Charity Multipurpose Non-profit WordPress Theme” to compromise websites and achieve full site takeovers. The vulnerability, identified as CVE-2025-5394, has been assigned a critical CVSS score of 9.8, underscoring the severity of the flaw.
According to security researchers, the vulnerability lies within a missing capability check in the alone_import_pack_install_plugin() function. This allows an unauthenticated attacker to upload arbitrary ZIP files to a vulnerable site by masquerading them as legitimate plugins. These malicious archives, often containing web shells or backdoors, can then be used to achieve remote code execution and gain complete control over the affected website.
Reports from security firm Wordfence indicate that exploitation attempts began as early as July 12, 2025, just two days before the vulnerability was publicly disclosed. This suggests that attackers may have been monitoring code changes for newly addressed vulnerabilities. The firm has already blocked over 120,900 exploit attempts originating from a small number of IP addresses. The attacks typically involve uploading a ZIP file containing a PHP-based backdoor to execute remote commands, upload additional files, or create rogue administrator accounts.
The “Alone” theme is popular among non-profit organizations, with over 9,000 installations, making these organizations particularly vulnerable targets. A separate, but equally critical, vulnerability (CVE-2025-5393) has also been discovered and is being actively exploited. This flaw allows unauthenticated attackers to delete arbitrary files on the server, which can also lead to remote code execution and a full site takeover if a critical file like wp-config.php is deleted.
Users of the “Alone” theme are strongly advised to update to version 7.8.5 or newer immediately to patch both vulnerabilities. This is a critical step to mitigate the risk of a site takeover. For those unable to update immediately, monitoring for suspicious activity, such as new, unrecognized administrator accounts or unusual file uploads, is recommended. Organizations should also consider using a security plugin with a robust firewall to block known exploit attempts.
![Online Scam Cases Continue to Rise Despite Crackdowns on Foreign Fraud Networks [Myanmar]](https://sumtrix.com/wp-content/uploads/2025/06/30-12-120x86.jpg "Online Scam Cases Continue to Rise Despite Crackdowns on Foreign Fraud Networks [Myanmar]")
