9.8
CVE-2025-5394
- EPSS 20.28%
- Veröffentlicht 15.07.2025 03:43:23
- Zuletzt bearbeitet 15.07.2025 13:14:24
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginAlone – Charity Multipurpose Non-profit WordPress Theme <= 7.8.3 - Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.
Mögliche Gegenmaßnahme
Alone – Charity Multipurpose Non-profit WordPress Theme: Update to version 7.8.5, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Theme
≫
Produkt
Alone – Charity Multipurpose Non-profit WordPress Theme
Version
* - 7.8.3
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerBearsthemes
≫
Produkt
Alone – Charity Multipurpose Non-profit WordPress Theme
Default Statusunaffected
Version <=
7.8.3
Version
*
Status
affected
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 20.28% | 0.953 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@wordfence.com | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.