A critical arbitrary file-upload flaw (CVE-2025-5394, CVSS 9.8) in the Alone – Charity Multipurpose Non-profit WordPress theme (≤ 7.8.3) is under active exploitation.
A missing authorization check in the alone_import_pack_install_plugin() AJAX handler lets unauthenticated attackers upload crafted ZIP archives—often containing PHP backdoors, resulting in remote code execution and full site takeover.
Vulnerability Details
- Function: alone_import_pack_install_plugin()
- Root Cause: Missing authorization (nonce/capability check) on the AJAX handler wp_ajax_nopriv_alone_import_pack_install_plugin.
- Impact: Unauthenticated attackers can upload ZIP archives containing PHP web shells or backdoors, execute arbitrary commands, deploy file managers, and create rogue administrative accounts.
- CVSS Score: 9.8 (Critical)
- Vulnerable Versions: ≤ 7.8.3
Attack Mechanics
Triggering the AJAX Handler:
POST /wp-admin/admin-ajax.php?action=alone_import_pack_install_plugin
Payload Delivery: ZIP archives such as wp-classic-editor.zip or background-image-cropper.zip containing:
- PHP backdoors/web shells
- File manager scripts
- Tools to create unauthorized admin users
Post-Exploitation Activities:
- Remote command execution (e.g. reverse shells)
- Deployment of persistence mechanisms
- Log tampering and credential harvesting
Indicators of Compromise (IOCs)
Indicator Type | Details |
Attacker IP Addresses | 193.84.71.244 87.120.92.24 146.19.213.18 185.159.158.108 188.215.235.94 146.70.10.25 74.118.126.111 62.133.47.18 198.145.157.102 2a0b:4141:820:752::2 |
Suspicious Log Entries | – POST requests to /wp-admin/admin-ajax.php?action=alone_import_pack_install_plugin – Unexpected ZIP uploads via that AJAX endpoint |
Detection Query Examples
When run against your Apache or Nginx access log, this command searches your web server’s access log for any HTTP requests to the vulnerable AJAX endpoint:
grep “admin-ajax.php?action=alone_import_pack_install_plugin” access.log
If you see entries here, it means someone (or something) tried to call that function, potentially uploading a malicious ZIP.
Additionally, you can use WPScan/Wordfence to enable rules that alert on arbitrary file upload attempts.
Recommended Actions
1. Apply the Patch Immediately
Ensure every instance of the Alone theme is updated to v7.8.5 or later without delay. This release contains the authorization check that prevents unauthenticated uploads to the vulnerable AJAX endpoint.
2. Verify Site Integrity
Perform a thorough sweep of your webroot to uncover any unfamiliar or rogue PHP files, especially those outside the standard theme and plugin directories. At the same time, audit all administrator accounts to confirm no unauthorized users have been created.
3. Strengthen Access Controls
Lock down access to sensitive endpoints by restricting /wp-admin/ and /wp-admin/admin-ajax.php to trusted IP ranges or by enforcing rules at your web application firewall (WAF). Additionally, require phishing-resistant multifactor authentication (MFA) for every privileged user to reduce the risk of compromised credentials.
4. Enhance Detection & Monitoring
- Configure your SIEM or log-management system to trigger alerts on any POST to admin-ajax.php?action=alone_import_pack_install_plugin.
- Watch for spikes in ZIP-file uploads or repeated requests to that AJAX handler.
- Integrate IDS/IPS signatures that recognize common web-shell patterns and backdoor filenames.
Stay Safe. Stay Secure.
OP Innovate Research Team