Menace actors are actively exploiting a essential unauthenticated arbitrary file add vulnerability within the WordPress theme ‘Alone,’ to realize distant code execution and carry out a full website takeover.
Wordfence is reporting the malicious exercise, saying it has blocked over 120,000 exploitation makes an attempt focusing on its clients.
The WordPress safety agency additionally studies that the assaults began a number of days earlier than public disclosure of the flaw, indicating that risk actors are monitoring changelogs and patches to find trivially exploitable points earlier than alerts are despatched to web site house owners.
The vulnerability, tracked below CVE-2025-5394, impacts all variations of Alone as much as 7.8.3. The seller, Bearsthemes, mounted it in Alone model 7.8.5, launched on June 16, 2025.
The issue stems from the theme’s ‘alone_import_pack_install_plugin()’ perform, which lacks nonce checks and is uncovered by way of the wp_ajax_nopriv_ hook.
The perform permits plugin set up by way of AJAX, and accepts a distant supply URL within the POST knowledge, enabling unauthenticated customers to set off plugin installations from distant URLs.
Based on Wordfence, attackers leverage the flaw to add webshells inside ZIP archives, deploy password-protected PHP backdoors that permit persistent distant command execution by way of HTTP requests, or create hidden administrator customers.
In some instances, the attackers even set up full-featured file managers that give them full management over the positioning’s databases.
Given the above, indicators of compromise embody the looks of recent admin customers, suspicious ZIP/plugin folders, and requests to ‘admin-ajax.php?motion=alone_import_pack_install_plugin.’
Wordfence logged tens of 1000’s of exploitation makes an attempt from the IP addresses 193.84.71.244, 87.120.92.24, 146.19.213.18, and 2a0b:4141:820:752::2, so these needs to be blocked instantly.
Supply: Wordfence
Alone is a premium theme with practically 10,000 gross sales on the Envato market, primarily utilized by non-profits reminiscent of charities, NGOs, fundraising organizations, and social organizations.
Though Wordfence submitted a report back to Bearsthemes as early as Might 30, 2025, they didn’t hear again, so that they escalated the difficulty to the Envato workforce on June 12.
4 days later, the seller launched a hard and fast model of Alone, v7.8.5, which is the advisable replace goal for all customers.
Final month, one other premium WordPress theme, Motors, was focused by hackers who exploited a person validation flaw to hijack administrator accounts on weak web sites.
Comprise rising threats in actual time – earlier than they impression your corporation.
Learn the way cloud detection and response (CDR) offers safety groups the sting they want on this sensible, no-nonsense information.
