CVE-2025-5394: 120,000 Attacks, One Backdoor, and a Full Dive into WordPress Hell
You have only a few hours to protect your site from a hacker onslaught.
You have only a few hours to protect your site from a hacker onslaught.
A critical vulnerability has been discovered in the popular WordPress theme "Alone – Charity Multipurpose Non-profit", widely used by charitable organizations. Tracked as CVE-2025-5394 and rated 9.8/10 on the CVSS scale, this flaw is already being actively exploited in the wild. Security researcher Thai An discovered the issue, with attacks detected even before the vulnerability was publicly disclosed.
The flaw resides in the alone_import_pack_install_plugin() function, which lacks proper access control. As a result, unauthenticated users can send malicious AJAX requests to upload arbitrary ZIP files containing malware directly to the server. This grants them full remote control of the WordPress site. The vulnerability affects all versions up to and including 7.8.3. A fix was issued in version 7.8.5, released on June 16, 2025.
According to Wordfence, attacks began on July 12, two days before public disclosure — indicating that attackers may be closely monitoring code changes to spot security patches and exploit them in advance.
The Attack Campaign:
Since July 12, over 120,000 exploitation attempts have been recorded by Wordfence. Attacks are coming from a variety of IP addresses (both IPv4 and IPv6), including:
193.84.71.244
87.120.92.24
146.19.213.18
185.159.158.108
188.215.235.94
146.70.10.25
74.118.126.111
62.133.47.18
198.145.157.102
2a0b:4141:820:752::2
Hackers uploaded ZIP archives with names like:
- wp-classic-editor.zip
- background-image-cropper.zip
These packages contain PHP backdoors, allowing attackers to:
- Execute remote commands
- Upload further malicious files
- Create fake admin accounts
- Deploy full file managers for persistent access
What You Should Do Immediately:
- Update the theme to version 7.8.5 or newer.
- Audit user accounts for suspicious admin users.
- Inspect access logs, especially requests to:
- Look for unknown or recent plugin uploads with suspicious names.
- Use a security scanner (e.g., Wordfence or Sucuri) to detect and remove backdoors.
This incident highlights once again how themes and plugins can become a major attack surface in WordPress environments — especially when access controls are poorly implemented. Patch fast — or risk full compromise.
