Back to KEVs

CVE-2025-5394

Alone – Charity Multipurpose Non-profit WordPress Theme <= 7.8.3 - Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation

Basic Information

CVE State: PUBLISHED
Reserved Date: May 30, 2025
Published Date: July 15, 2025
Last Updated: July 15, 2025
Vendor: Bearsthemes
Product: Alone – Charity Multipurpose Non-profit WordPress Theme
Description: The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.
Tags

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation: none
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2025-07-31 08:05:53 UTC) Source

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/86f91589-b309-49aa-8b04-ca972acaf8fb?source=cve https://themeforest.net/item/alone-charity-multipurpose-nonprofit-wordpress-theme/15019939

Known Exploited Vulnerability Information

Source	Added Date
The Shadowserver (via CIRCL)	2025-07-31 08:05:53 UTC

Scanner Integrations

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-5394.yaml	2026-06-01 15:34:42 UTC

Timeline

CVE ID Reserved

May 30, 2025
CVE Published to Public

July 15, 2025
Added to KEVIntel

July 31, 2025
Detected by Nuclei

June 01, 2026