A critical RCE vulnerability (CVE‑2025‑5394) in versions 7.8.3 and earlier of the Alone Charity Multipurpose WordPress Theme is actively exploited.
Over 120,000 attempts were recorded against more than 9,000 vulnerable sites, enabling attackers to inject malicious plugins and run arbitrary code by exploiting unauthenticated upload functionality.
A related bug (CVE‑2025‑5393) allows arbitrary file deletion, further facilitating site takeover. These were sometimes chained with the Bears Backup plugin RCE (CVE‑2025‑5396) for deeper access.
Other High-Profile WordPress Exploits in 2025
Security researchers warn that the Alone theme’s exploit is just one of many recent successful attacks. In early 2025, attackers exploited at least four widely-used plugins and themes with critical vulnerabilities disclosed in 2024 but left unpatched:
- WordPress Automatic Plugin (CVE‑2024‑27956): A SQL injection flaw affecting exports. Over 6,500 blocked attempts reported.
- Startklar Elementor Addons (CVE‑2024‑4345): Unauthenticated file upload allowed plugin installation and backdoor creation.
- Bricks Theme (CVE‑2024‑25600): RCE via the REST API route allowing unauthorized PHP execution.
- GiveWP Donation Plugin (CVE‑2024‑8353): PHP object injection on donation forms enabled full site compromise.
Additionally, newer plugin issues surfaced in 2025:
- Post SMTP Plugin (CVE‑2025‑24000): Broken access control exposed email logs to low-privilege users and enabled admin password resets. Estimated 160,000 sites still unpatched.
- BuddyBoss Platform Pro (CVE‑2025‑1909): Apple OAuth bypass allowed impersonation of privileged users.
- PGS Core Plugin (CVE‑2025‑0855): PHP object injection risk in versions up to 5.8.0.
- PeproDev Ultimate Profile Solutions (CVE‑2025‑3844): Authentication bypass enabling admin login.
- Simple Payment, FunnelKit, Custom APIs (CVE‑2025‑4334 / 6065 / 4973 / 1562 / 5486 / 5701): Multiple privilege escalation and file deletion flaws in plugins like FunnelKit and Golo Travel theme.
Widespread Impacts and Emerging Attack Tactics
Some 20,000+ WordPress sites were compromised by malicious JavaScript backdoors hiding in the mu-plugins directory, enabling stealthy persistence and visitor redirect attacks.
A supply-chain compromise of the Gravity Forms plugin in July 2025 delivered malware via legitimate downloads, affecting users of versions 2.9.11.1 and 2.9.12.
The long-running DollyWay campaign continues to infect sites globally, redirecting traffic to adware-laden domains and leveraging multiple plugin and theme flaws.
Urgent Security Recommendations
- Update the Alone theme to version 7.8.5 now
- Review logs for suspicious POST requests to
/wp-admin/admin-ajax.php?action=alone_import_pack_install_plugin. - Patch or disable plugins with known critical CVEs immediately
- Audit AJAX logs for suspicious endpoints
- Review admin accounts and delete unauthorized users
- Scan mu‑plugins directory for rogue PHP or JS files
- Implement firewalls, enable multi-factor authentication, and monitor plugin installations
Unpatched plugins and themes remain WordPress’s Achilles’ heel. Hackers exploited many critical vulnerabilities within 24 hours of public disclosure across 2024–2025, using AI-powered scanners to accelerate attacks at scale.