Hackers Target Critical Vulnerability in ‘Alone’ WordPress Theme to Take Over Websites Through Remote Plugin Installation

Jul 31, 2025
Vulnerability / Website Security

Threat actors are currently exploiting a serious security flaw in the “Alone – Charity Multipurpose Non-profit WordPress Theme,” allowing them to seize control of vulnerable websites. The vulnerability, identified as CVE-2025-5394, has a CVSS score of 9.8. Security researcher Thái An discovered and reported the issue. According to Wordfence, the flaw involves an arbitrary file upload that affects all plugin versions up to and including 7.8.3. It was patched in version 7.8.5, released on June 16, 2025. CVE-2025-5394 arises from a function called “alone_import_pack_install_plugin(),” which lacks a necessary capability check, enabling unauthenticated users to upload arbitrary plugins from remote sources through AJAX, thus executing code remotely. “This vulnerability allows an attacker without authentication to upload arbitrary files to a vulnerable site, leading to remote code execution…”

Hackers Exploit Severe Vulnerability in WordPress Theme, Compromising Numerous Sites

On July 31, 2025, reports surfaced detailing a critical security vulnerability in the “Alone – Charity Multipurpose Non-profit WordPress Theme,” which has become a focal point for cybercriminals. This flaw, identified as CVE-2025-5394, has garnered an alarming CVSS score of 9.8, indicating its potential for severe impact. It was responsibly disclosed by security researcher Thái An, emphasizing the growing threats posed to website security.

The vulnerability affects all iterations of the theme’s associated plugin prior to version 7.8.3, with a fix implemented in version 7.8.5 released on June 16, 2025. According to the cybersecurity firm Wordfence, this exploit hinges on a function called “alone_import_pack_install_plugin()” that lacks necessary capability checks. As a result, unauthenticated attackers are able to upload arbitrary plugins directly from remote sources using AJAX, enabling them to execute malicious code on compromised sites.

This critical oversight allows malicious actors to gain significant control over vulnerable WordPress sites. Once exploited, attackers can not only hijack these sites but also manipulate them for various purposes, including data theft or further infiltrating other connected systems. Such vulnerabilities pose a formidable risk, particularly to non-profit organizations and charities that may lack robust cybersecurity measures.

The primary targets of this exploit are WordPress sites that utilize the affected theme, which can span a wide array of sectors, including education, healthcare, and social services. The nature of the exploit suggests that many non-profit organizations in the United States could be at risk, given their reliance on this theme for web presence.

In examining the tactics and techniques potentially employed by the attackers, the MITRE ATT&CK Matrix provides useful insights. The initial access methodology here is likely the exploitation of a major software flaw, granting adversaries the ability to gain a foothold in the system. Furthermore, through remote code execution, attackers could establish persistence within the system, allowing for sustained access and control over time.

As incidents like this continue to emerge, business owners and web administrators are urged to remain vigilant. It is essential to regularly update plugins and themes, monitor site activity, and implement comprehensive security solutions to mitigate the risk of exploitation. The rapid evolving landscape of cyber threats underscores the necessity of proactive measures to safeguard online assets against such vulnerabilities.

As the cybersecurity landscape broadens, the repercussions of such vulnerabilities demand attention and prompt action from all stakeholders involved in website management and digital infrastructure.

Source link

Related Posts

Google Unveils Open Beta for Device Bound Session Credentials in Chrome, Enhancing Patch Transparency with Project Zero

July 30, 2025
Device Security / AI Security

Google has launched an open beta for its Device Bound Session Credentials (DBSC), a security feature aimed at protecting users from session cookie theft attacks. Initially introduced as a prototype in April 2024, DBSC binds authentication sessions to specific devices, preventing malicious actors from using stolen cookies to access accounts from unauthorized devices. “Available in the Chrome browser on Windows, DBSC enhances security after login by linking session cookies—small files that remember user information—to the device used for authentication,” said Andy Wen, senior director of product management at Google Workspace. This initiative not only secures user accounts post-authentication but also complicates the reuse of session cookies, bolstering session integrity. The company has also…

Serious Security Vulnerabilities in Dahua Cameras Enable Remote Takeover via ONVIF and File Upload Exploits

July 30, 2025
Firmware Security / Vulnerability

Cybersecurity researchers have revealed critical security vulnerabilities within the firmware of Dahua smart cameras, which have since been patched. If left unaddressed, these flaws could allow attackers to take control of affected devices. According to a report from Bitdefender shared with The Hacker News, the vulnerabilities—related to the device’s ONVIF protocol and file upload handlers—enable unauthorized attackers to execute arbitrary commands remotely, effectively seizing control of the device.

Tracked as CVE-2025-31700 and CVE-2025-31701 (CVSS scores: 8.1), the vulnerabilities impact the following device series running firmware versions with build timestamps prior to April 16, 2025:

  • IPC-1XXX Series
  • IPC-2XXX Series
  • IPC-WX Series
  • IPC-ECXX Series
  • SD3A Series
  • SD2A Series
  • SD3D Series
  • SDT2A Series
  • SD2C Series

Users can check their device’s build time by logging into the web interface and navigating to Settings → System Information → Version. Both vulnerabilities are classified as…