Ethical Hacking News
Hackers are exploiting a critical vulnerability in the WordPress Alone theme, allowing them to achieve remote code execution and perform full site takeovers on vulnerable websites. Update to version 7.8.5 of the theme immediately to prevent further exploitation.
WordPress users are vulnerable to a critical unauthenticated arbitrary file upload vulnerability in the 'Alone' theme up to version 7.8.3.The vulnerability allows hackers to achieve remote code execution and perform full site takeovers via plugin installations from remote URLs.Threat actors have been exploiting the vulnerability for days before public disclosure, highlighting the importance of keeping software up-to-date.The malicious activity has been blocked by Wordfence, but users are advised to update to version 7.8.5 of the Alone theme immediately.Users should monitor their websites for signs of compromise, such as new admin users or suspicious ZIP/plugin folders.
WordPress users are being warned of a critical unauthenticated arbitrary file upload vulnerability that is being actively exploited by hackers, who are using it to achieve remote code execution and perform full site takeovers. The vulnerability, tracked under CVE-2025-5394, impacts all versions of the popular WordPress theme 'Alone' up to 7.8.3, making nearly 10,000 users vulnerable.
The problem stems from a function in the theme's 'alone_import_pack_install_plugin()' that lacks nonce checks and is exposed via the wp_ajax_nopriv_ hook. This function allows plugin installation via AJAX, and accepts a remote source URL in the POST data, enabling unauthenticated users to trigger plugin installations from remote URLs. Hackers are taking advantage of this vulnerability by uploading webshells inside ZIP archives, deploying password-protected PHP backdoors that allow persistent remote command execution via HTTP requests, or creating hidden administrator users.
The attacks started several days before public disclosure of the flaw, indicating that threat actors are monitoring changelogs and patches to discover trivially exploitable issues before alerts are sent to website owners. This highlights the importance of keeping software up-to-date, as the vulnerability was patched in Alone version 7.8.5, released on June 16, 2025.
The malicious activity has been reported by Wordfence, which has blocked over 120,000 exploitation attempts targeting its customers. The threat actors have also used IP addresses such as 193.84.71.244, 87.120.92.24, 146.19.213.18, and 2a0b:4141:820:752::2 to launch the attacks.
The WordPress security firm is advising its customers to update to version 7.8.5 of the Alone theme immediately to prevent further exploitation. Additionally, users are being warned to monitor their websites for signs of compromise, which may include the appearance of new admin users, suspicious ZIP/plugin folders, and requests to 'admin-ajax.php?action=alone_import_pack_install_plugin.'
The WordPress community is also taking notice of this critical vulnerability, with some prominent themes and plugins already addressing the issue. However, more needs to be done to ensure that all users are protected from these types of attacks.
In recent weeks, there have been several other high-profile vulnerabilities discovered in various software products, including a user validation flaw exploited by hackers to hijack administrator accounts on vulnerable websites, as well as a critical RCE flaw in the Wing FTP Server. These incidents highlight the importance of staying vigilant and proactive when it comes to software security.
In conclusion, this recent vulnerability in the WordPress Alone theme serves as a reminder that no system is completely secure, and that regular updates and patching are essential for protecting against these types of attacks. By taking the necessary precautions and staying informed, users can help prevent their websites from being compromised by malicious actors.
Hackers are exploiting a critical vulnerability in the WordPress Alone theme, allowing them to achieve remote code execution and perform full site takeovers on vulnerable websites. Update to version 7.8.5 of the theme immediately to prevent further exploitation.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Exploit-Critical-Vulnerability-in-WordPress-Alone-Theme-Leaving-Websites-Open-to-Remote-Code-Execution-ehn.shtml
https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-in-wordpress-alone-theme/
https://nvd.nist.gov/vuln/detail/CVE-2025-5394
https://www.cvedetails.com/cve/CVE-2025-5394/
Published: Wed Jul 30 13:00:53 2025 by llama3.2 3B Q4_K_M