31.07.2025
2 min
494
Thousands of WordPress sites around the world are at risk as cybercriminals are actively exploiting a critical vulnerability in the popular Alone theme that allows for arbitrary code execution (RCE) without authorization. The vulnerability has been coded CVE-2025-5394, and more than 120,000 attacks have already been recorded.
WordPress security firm Wordfence reported active attacks that began even before the issue was officially announced. This suggests that attackers are monitoring changes to the theme code and are actively looking for new ways to exploit it.
The vulnerability is located in the alone_import_pack_install_plugin() function — it does not check the nonce and is publicly accessible via AJAX. This allows unauthorized users to install plugins from remote sources, including webshells and backdoors.
Here’s what attackers can do with this vulnerability:
download encrypted backdoors as ZIP archives;
create hidden administrators;
deploy full-featured file managers to access the database;
run commands over HTTP and completely hijack the site.
Signs of a hack:
new admin accounts;
unexplained folders with ZIP files or plugins;
suspicious requests to admin-ajax.php?action=alone_import_pack_install_plugin.
The Alone theme is a paid development by Bearsthemes, which has been purchased by almost 10,000 users on the Envato marketplace. It is used mostly by charities, NPOs, and fundraising projects. Despite a message from Wordfence on May 30, the developer did not respond, so the report was forwarded to the Envato team.
Recommended actions:
This situation is further evidence that delays in updates can lead to large-scale hacks. If you or your clients use the Alone theme, updating is critical, and it is also worth conducting a security audit of the entire site.
