Urgent Alert for WordPress Users: Critical Theme Flaw Under Active Attack!
Published: July 31, 2025

If you're running a WordPress site, especially one using the "Alone – Charity Multipurpose Non-profit WordPress Theme," listen up! Threat actors are actively exploiting a critical vulnerability (CVE-2025-5394) to hijack websites. This isn't a drill—sites are being compromised as we speak.

What's the Big Deal? This flaw, with a severe CVSS score of 9.8, allows unauthenticated attackers to upload arbitrary files to your site and achieve remote code execution. In simpler terms, a hacker can essentially take full control of your website.

The vulnerability stems from a missing capability check in a plugin installation function (alone_import_pack_install_plugin()). This means even someone without a login can remotely deploy malicious plugins via AJAX requests.

When Did This Start? Evidence suggests that exploitation of CVE-2025-5394 began as early as July 12, 2025, a full two days before the vulnerability was even publicly disclosed. This is a strong indication that these threat actors are closely monitoring code changes for newly addressed vulnerabilities, giving them a head start on attacks.

So far, security firm Wordfence has already blocked a staggering 120,900 exploit attempts targeting this flaw. The attacks are originating from a number of IP addresses, including: 193.84.71.244 87.120.92.24 146.19.213.18 185.159.158.108 188.215.235.94 146.70.10.25 74.118.126.111 62.133.47.18 198.145.157.102 2a0b:4141:820:752::2

How Are They Doing It? Attackers are leveraging this flaw to upload ZIP archives, typically named "wp-classic-editor.zip" or "background-image-cropper.zip." These seemingly innocuous files contain dangerous PHP-based backdoors that allow them to execute remote commands and upload even more malicious files. They're also deploying fully-featured file managers and backdoors capable of creating rogue administrator accounts, giving them complete control over your site.


What Should You Do IMMEDIATELY? If you are using the "Alone – Charity Multipurpose Non-profit WordPress Theme", it's crucial to take action right away:


Update Your Theme: The vulnerability has been addressed in version 7.8.5 of the "Alone – Charity Multipurpose Non-profit WordPress Theme," released on June 16, 2025. Make sure your theme is updated to the latest version. This is your most critical step!


Check for Suspicious Admin Users: After updating, meticulously review your WordPress users. Look for any unfamiliar or newly created administrator accounts. If you find any, delete them immediately.


Scan Your Logs: Examine your server access logs for requests to /wp-admin/admin-ajax.php?action=alone_import_pack_install_plugin. The presence of these requests could indicate an attempted or successful exploit. Don't delay! The active exploitation of this flaw means your site could be next. Take these steps now to protect your WordPress website.