Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Attackers actively exploit critical zero-day in Alone WordPress Theme

Hackers exploit a critical vulnerability, tracked as CVE-2025-5394 (CVSS score of 9.8), in the Alone WordPress theme to hijack sites. Threat actors are actively exploiting a critical flaw, tracked as CVE-2025-5394 (CVSS score of 9.8), in the “Alone – Charity Multipurpose Non-profit WordPress Theme” to compromise websites. On May 30th, 2025, security researcher Thái An […]

Alone WordPress theme

Hackers exploit a critical vulnerability, tracked as CVE-2025-5394 (CVSS score of 9.8), in the Alone WordPress theme to hijack sites.

Threat actors are actively exploiting a critical flaw, tracked as CVE-2025-5394 (CVSS score of 9.8), in the “Alone – Charity Multipurpose Non-profit WordPress Theme” to compromise websites.

On May 30th, 2025, security researcher Thái An reported the bug via WordPress security firm Wordfence.

“This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover.” reads the advisory published by Wordfence.

The issue is an Arbitrary File Upload via Plugin Installation vulnerability in the Alone theme, which has more than 9,000 installations.

The flaw was exploited as zero-day, its exploitation began before public disclosure on July 14, 2025. The flaw impacts Alone theme versions up to 7.8.3, it was addressed on June 16 in version 7.8.5.

“According to our data, attackers started targeting websites on July 12th, before the vulnerability was publicly disclosed, on July 14th. A clear indication that attackers are monitoring changesets and software for newly patched vulnerabilities.” continues the report.

The researchers examined the theme code and discovered that the alone_import_pack_install_plugin() function in the Alone WordPress theme lacked capability and nonce checks, allowing unauthenticated users to access it via the wp_ajax_nopriv hook. This allowed attackers to install plugins using remote sources by sending crafted requests, leading to arbitrary file uploads and potential remote code execution. In effect, the flaw enabled full site takeover through unauthorized plugin installation.

Since the vendor patched the flaw, Wordfence has blocked over 120,900 exploit attempts. Several IP addresses, including 193.84.71.244 and 87.120.92.24, are responsible for tens of thousands of malicious requests targeting the Alone theme.

In the attacks blocked by Wordfence, threat actors exploit the flaw to upload ZIP files like “wp-classic-editor.zip” containing PHP backdoors. These let them run remote commands, upload more files, and even install full file managers or hidden admin accounts, giving them full control over the site.

WordPress site admins using the Alone theme should update to the latest version, check for suspicious admin accounts, and scan logs for requests to /wp-admin/admin-ajax.php?action=alone_import_pack_install_plugin.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Alone WordPress theme)