CVE-2025-5394: 
WordPress vulnerability analysis and mitigation

The Alone – Charity Multipurpose Non-profit WordPress Theme contains a critical vulnerability (CVE-2025-5394) affecting all versions up to and including 7.8.3. The vulnerability was discovered and reported by Wordfence on July 15, 2025. This security flaw affects WordPress installations using the Alone theme and allows unauthenticated attackers to perform arbitrary file uploads (NVD CVE).

The vulnerability stems from a missing capability check in the aloneimportpackinstallplugin() function. This security oversight enables unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating the highest severity level. The weakness has been classified as CWE-862 (Missing Authorization) (Wordfence Intel).

The vulnerability allows attackers to achieve remote code execution on affected WordPress sites. This can lead to complete system compromise, as attackers can upload and execute malicious code through webshells disguised as legitimate plugins. The high severity rating indicates potential for significant damage to affected systems, including unauthorized access, data theft, and system manipulation (NVD CVE).

Website administrators running the Alone theme should immediately update to version 7.8.4 or later which contains the security fix. The theme developers have addressed this vulnerability in their latest release available through ThemeForest (Theme Details).