CVE-2025-5394

Medienbericht

EPSS 19.83%
Veröffentlicht 15.07.2025 03:43:23
Zuletzt bearbeitet 15.07.2025 13:14:24
Quelle security@wordfence.com
Teams Watchlist Login
Unerledigt Login

The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerBearsthemes

≫

Produkt Alone – Charity Multipurpose Non-profit WordPress Theme

Default Statusunaffected

Version <= 7.8.3

Version *

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	19.83%	0.953

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://www.heise.de/news/WordPress-Theme-Alone-Mehr-als-120-000-Angriffsversuche-dokumentiert-10506610.html

Medienbericht

heise Security

https://themeforest.net/item/alone-charity-multipurpose-nonprofit-wordpress-theme/15019939

https://www.wordfence.com/threat-intel/vulnerabilities/id/86f91589-b309-49aa-8b04-ca972acaf8fb?source=cve

https://nvd.nist.gov/vuln/detail/CVE-2025-5394

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-5394

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-5394

EUVD