CVE-2025-52718: 
WordPress vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-52718) was discovered in the WordPress Alone theme affecting versions up to 7.8.2. The vulnerability is classified as an Improper Control of Generation of Code (Code Injection) that allows Remote Code Inclusion. The issue was discovered by researcher Trương Hữu Phúc and was publicly disclosed on July 1, 2025 (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code) and allows for arbitrary code execution. The vulnerability can be exploited without authentication, making it particularly dangerous (NVD, Patchstack).

The vulnerability allows malicious actors to remotely execute arbitrary code on affected websites. This could potentially lead to complete site compromise, data theft, or site defacement. The high CVSS score and unauthenticated nature of the exploit make this vulnerability particularly concerning for website owners (Patchstack).

Website administrators are strongly advised to update to version 7.8.5 or later, which contains the fix for this vulnerability. For immediate protection, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).