Threat actors are actively exploiting a critical vulnerability in the WordPress theme “Alone”, enabling unauthenticated remote code execution and full site takeovers. The flaw, tracked as CVE-2025-5394, affects all theme versions up to 7.8.3.
Over 120,000 Exploitation Attempts Blocked
WordPress security firm Wordfence reports that it has already blocked over 120,000 exploitation attempts on customer sites, with attack activity starting before public disclosure of the flaw.
This indicates that attackers are actively monitoring changelogs and patch releases to identify newly introduced vulnerabilities before official security advisories are published.
Technical Details of the Vulnerability
The flaw lies in the theme’s alone_import_pack_install_plugin() function, which:
- Is exposed via the
wp_ajax_nopriv_hook, allowing unauthenticated access - Lacks nonce validation, leaving it vulnerable to abuse
- Accepts a remote plugin source via POST data, allowing attackers to install any ZIP file
The vulnerable function can be exploited by sending crafted AJAX requests to admin-ajax.php, triggering the installation of malicious plugins from remote servers.
Volume of exploitation attempts against Alone-powered sites
Source: Wordfence