Critical RCE in WordPress Alone Theme Actively Exploited by Hackers
▼ Summary
– A critical vulnerability in the WordPress theme ‘Alone’ (CVE-2025-5394) allows unauthenticated attackers to upload arbitrary files and execute remote code, enabling full site takeover.
– Wordfence has blocked over 120,000 exploitation attempts, with attacks starting before public disclosure, suggesting threat actors monitor patches for vulnerabilities.
– The flaw exists in versions up to 7.8.3 and was fixed in version 7.8.5, released on June 16, 2025, by Bearsthemes after delayed response to Wordfence’s report.
– Attackers exploit the vulnerability to upload webshells, deploy PHP backdoors, create hidden admin users, or install file managers for complete site control.
– Alone is a premium theme with ~10,000 sales, mainly used by non-profits, and similar attacks recently targeted another premium theme, Motors.
A critical security flaw in the popular WordPress Alone theme is being actively exploited by hackers, allowing them to execute malicious code and take complete control of vulnerable websites. Security researchers have detected over 120,000 attack attempts targeting this vulnerability, with cybercriminals deploying backdoors, hidden admin accounts, and file managers to maintain persistent access.
The vulnerability, identified as CVE-2025-5394, affects all versions of the Alone theme prior to 7.8.5. The issue stems from an insecure file upload function that fails to verify user permissions, enabling attackers to upload and execute arbitrary plugins from remote servers. Exploits began before the flaw was publicly disclosed, suggesting hackers monitor patch releases to strike before site owners can secure their systems.
According to security firm Wordfence, attackers are abusing the theme’s `aloneimportpackinstallplugin()` function, which lacks proper authentication checks. By sending crafted requests, hackers can force the installation of malicious plugins containing webshells or backdoors. Some attacks involve uploading password-protected PHP scripts that grant remote command execution, while others create hidden administrator accounts for long-term access.
Key indicators of compromise include unexpected admin users, suspicious plugin folders, and unusual requests to `admin-ajax.php` with the vulnerable action parameter. Security teams should also monitor for connections from known malicious IPs, including 193.84.71.244, 87.120.92.24, 146.19.213.18, and 2a0b:4141:820:752::2, which have been linked to these attacks.
The Alone theme, sold over 10,000 times on Envato Market, is widely used by nonprofits, charities, and fundraising organizations. Despite early warnings from Wordfence in late May 2025, the vendor, Bearsthemes, only released a patch (version 7.8.5) on June 16 after Envato intervened. Website administrators must update immediately to mitigate the risk of compromise.
This incident follows a similar attack last month against the Motors WordPress theme, where hackers exploited authentication weaknesses to hijack administrator accounts. The trend highlights the growing threat posed by vulnerabilities in premium themes, which often handle sensitive data and require urgent patching.
To protect against exploitation, users should:
- Update the Alone theme to version 7.8.5 or later
- Audit user accounts and remove suspicious administrators
- Scan for unfamiliar plugins or files
- Block known malicious IP addresses
Failure to act could result in complete site takeover, data theft, or further malware infections. Given the aggressive exploitation in progress, delaying updates is not an option.
(Source: BLEEPING COMPUTER)
