Menace actors are actively exploiting a vital unauthenticated arbitrary file add vulnerability within the WordPress theme ‘Alone,’ to realize distant code execution and carry out a full website takeover.
Wordfence is reporting the malicious exercise, saying it has blocked over 120,000 exploitation makes an attempt focusing on its clients.
The WordPress security agency additionally stories that the assaults began a number of days earlier than public disclosure of the flaw, indicating that menace actors are monitoring changelogs and patches to find trivially exploitable points earlier than alerts are despatched to web site house owners.
The vulnerability, tracked underneath CVE-2025-5394, impacts all variations of Alone as much as 7.8.3. The seller, Bearsthemes, fastened it in Alone model 7.8.5, launched on June 16, 2025.
The issue stems from the theme’s ‘alone_import_pack_install_plugin()’ operate, which lacks nonce checks and is uncovered by way of the wp_ajax_nopriv_ hook.
The operate permits plugin set up by way of AJAX, and accepts a distant supply URL within the POST knowledge, enabling unauthenticated customers to set off plugin installations from distant URLs.
In line with Wordfence, attackers leverage the flaw to add webshells inside ZIP archives, deploy password-protected PHP backdoors that permit persistent distant command execution by way of HTTP requests, or create hidden administrator customers.
In some circumstances, the attackers even set up full-featured file managers that give them full management over the location’s databases.
Given the above, indicators of compromise embrace the looks of latest admin customers, suspicious ZIP/plugin folders, and requests to ‘admin-ajax.php?motion=alone_import_pack_install_plugin.’
Wordfence logged tens of 1000’s of exploitation makes an attempt from the IP addresses 193.84.71.244, 87.120.92.24, 146.19.213.18, and 2a0b:4141:820:752::2, so these needs to be blocked instantly.
Supply: Wordfence
Alone is a premium theme with almost 10,000 gross sales on the Envato market, primarily utilized by non-profits reminiscent of charities, NGOs, fundraising organizations, and social organizations.
Though Wordfence submitted a report back to Bearsthemes as early as Could 30, 2025, they didn’t hear again, in order that they escalated the difficulty to the Envato group on June 12.
4 days later, the seller launched a set model of Alone, v7.8.5, which is the advisable replace goal for all customers.
Final month, one other premium WordPress theme, Motors, was focused by hackers who exploited a person validation flaw to hijack administrator accounts on weak web sites.
CISOs know that getting board buy-in begins with a transparent, strategic view of how cloud security drives enterprise worth.
This free, editable board report deck helps security leaders current danger, influence, and priorities in clear enterprise phrases. Flip security updates into significant conversations and sooner decision-making within the boardroom.
