CVE-2025-5394

Media report

EPSS 19.83%
Published 15.07.2025 03:43:23
Last modified 15.07.2025 13:14:24
Source security@wordfence.com
Teams watchlist Login
Open Login

The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.

Affected products Warnungen 0 Metrics 2 CWE 1 References 6

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

VendorBearsthemes

≫

Product Alone – Charity Multipurpose Non-profit WordPress Theme

Default Statusunaffected

Version <= 7.8.3

Version *

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	19.83%	0.953

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
security@wordfence.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://www.heise.de/news/WordPress-Theme-Alone-Mehr-als-120-000-Angriffsversuche-dokumentiert-10506610.html

Medienbericht

heise Security

https://themeforest.net/item/alone-charity-multipurpose-nonprofit-wordpress-theme/15019939

https://www.wordfence.com/threat-intel/vulnerabilities/id/86f91589-b309-49aa-8b04-ca972acaf8fb?source=cve

https://nvd.nist.gov/vuln/detail/CVE-2025-5394

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-5394

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-5394

EUVD