Attackers have launched aggressive campaigns exploiting a severe flaw in the WordPress “Alone” theme, tracked as CVE‑2025‑5394 (CVSS rating 9.8). Unauthenticated threat actors can exploit a missing capability check in the alone_import_pack_install_plugin() function to upload malicious plugins via AJAX. That leads to remote code execution and full site control.
Exploit Activity Preceded Public Disclosure
Security researchers at Wordfence reported over 120,000 blocked exploitation attempts. Indicators show attacks began around July 12, two days before the vulnerability was disclosed on July 14. That timing suggests threat actors monitor change logs and patch releases, exploiting flaws before site owners can react. Exploited sites receive ZIP archives often named wp-classic-editor.zip or background-image-cropper.zip that install PHP backdoors, file managers and rogue admin accounts. Once in place, attackers run arbitrary commands, deploy persistent malware or lock owners out entirely.
Why Many Sites Remain Exposed?
Despite the patched version 7.8.5 being released on June 16, many sites still operate vulnerable versions (≤7.8.3). Without proactive theme updates and plugin audits, WordPress installations remain prone to this and similar attacks.
Additional Plugin Threats to Watch
This is part of a broader trend. In recent months, attackers have actively exploited separate vulnerabilities in plugins and themes like Post SMTP (CVE‑2025‑24000), Forminator (CVE‑2025‑6463), OttoKit (CVE‑2025‑27007 and CVE‑2025‑3102), and the Motors theme (CVE‑2025‑4322). These flaws let them access email logs, delete files, escalate privileges, and create admin accounts on thousands of sites.
How Site Owners Can Respond?
Update the Alone theme to version 7.8.5 or later immediately. Scan site logs for any suspicious AJAX activity or unexpected files. Remove unused themes and plugins and restrict administrative access. Use a web application firewall to block exploit patterns. Perform routine security scans to detect compromise early.
What this really means is a small flaw in a popular component can lead to total breach. Vigilance and fast patching are now essential, not optional.
