Threat Actors Exploit Unauthenticated Arbitrary File Upload Flaw in ‘Alone’ Theme

A critical vulnerability has been discovered in the popular WordPress theme ‘Alone’, allowing hackers to gain remote code execution and take control of vulnerable websites. According to Wordfence, a leading WordPress security firm, threat actors have been actively exploiting this flaw to upload webshells, deploy backdoors, and create hidden administrator users.

The vulnerability, tracked under CVE-2025-5394, affects all versions of the Alone theme up to 7.8.3. The flaw stems from the theme’s ‘alone_import_pack_install_plugin()’ function, which lacks nonce checks and is exposed via the wp_ajax_nopriv_ hook. This allows attackers to trigger plugin installations from remote URLs, enabling unauthenticated users to upload malicious files.

Wordfence reports that the attacks started several days before public disclosure of the flaw, indicating that threat actors are monitoring changelogs and patches to discover exploitable issues before alerts are sent to website owners. The security firm has blocked over 120,000 exploitation attempts targeting its customers, with the attacks coming from IP addresses 193.84.71.244, 87.120.92.24, 146.19.213.18, and 2a0b:4141:820:752::2.

The Alone theme, which has nearly 10,000 sales on the Envato market, is primarily used by non-profit organizations, charities, and social organizations. Although Wordfence submitted a report to the vendor, Bearsthemes, as early as May 30, 2025, they did not receive a response, prompting the security firm to escalate the issue to the Envato team. Four days later, the vendor released a fixed version of Alone, v7.8.5, which is the recommended update target for all users.

This vulnerability is the latest in a string of attacks targeting WordPress themes, following the exploitation of a user validation flaw in the Motors theme last month. The Motors theme vulnerability allowed hackers to hijack administrator accounts on vulnerable websites, highlighting the need for prompt software updates and vigilant security monitoring.

Impact and Recommendations

The exploitation of the Alone theme vulnerability can have severe consequences, including:

• Remote code execution: Threat actors can execute malicious code on vulnerable websites, allowing them to take control of the site and steal sensitive data.
• Webshell deployment: Attackers can upload webshells, which are malicious scripts that allow them to maintain a persistent presence on the compromised website.
• Backdoor installation: Threat actors can deploy password-protected PHP backdoors that allow them to execute remote commands and steal sensitive data.
• Administrator account creation: Attackers can create hidden administrator accounts, allowing them to take control of the website and steal sensitive data.

To mitigate this vulnerability, users are advised to:

Immediate Actions

1. Update the Alone theme to version 7.8.5 or later: This will patch the vulnerability and prevent further exploitation.
2. Monitor website security logs for suspicious activity: Keep a close eye on your website’s security logs for any signs of malicious activity.
3. Block the IP addresses associated with the attacks: Block the IP addresses 193.84.71.244, 87.120.92.24, 146.19.213.18, and 2a0b:4141:820:752::2 to prevent further attacks.
4. Implement robust security measures: Implement two-factor authentication, regular software updates, and other security measures to protect your website.

Long-term Recommendations

1. Regularly update WordPress and plugins: Keep your WordPress installation and plugins up to date to prevent exploitation of known vulnerabilities.
2. Use a reputable security plugin: Install a reputable security plugin, such as Wordfence, to detect and prevent malicious activity.
3. Conduct regular security audits: Conduct regular security audits to identify and fix vulnerabilities before they are exploited.
4. Use a Web Application Firewall (WAF): Consider using a WAF to protect your website from common web attacks.

Cloud Detection and Response

Cloud detection and response (CDR) has emerged as a crucial tool in detecting and responding to emerging threats in real-time, giving security teams the edge they need to protect their businesses. CDR solutions can help identify and contain threats before they spread, reducing the risk of data breaches and other security incidents.

In this case, Wordfence’s CDR capabilities helped detect and block over 120,000 exploitation attempts targeting its customers. By leveraging CDR, organizations can stay ahead of emerging threats and protect their businesses from cyber attacks.