CVE-2025-5394

CRITICAL EXPLOITED NUCLEI

Alone - Charity Multipurpose Non-profit WordPress Theme <7.8.3 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-5394 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 5 public exploits from researchers including Nxploited, fokda-prodz, Yucaerin. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional Python exploit for CVE-2025-5394, which allows unauthenticated arbitrary plugin upload in the Alone WordPress theme. The exploit automates the upload of a malicious ZIP file (disguised as a plugin) to achieve remote code execution.

Description

The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution. CVE-2025-54019 is likely a duplicate of this.

Exploits (5)

nomisec WORKING POC 3 stars
by Nxploited · remote
https://github.com/Nxploited/CVE-2025-5394

The repository contains a functional Python exploit for CVE-2025-5394, which allows unauthenticated arbitrary plugin upload in the Alone WordPress theme. The exploit automates the upload of a malicious ZIP file (disguised as a plugin) to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Alone – Charity Multipurpose Non-profit WordPress Theme <= 7.8.3
No auth needed
Prerequisites: Target running vulnerable Alone WordPress theme · Access to a remote ZIP file containing a malicious plugin
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 3 stars
by fokda-prodz · remote
https://github.com/fokda-prodz/CVE-2025-5394

This repository contains a functional exploit for CVE-2025-5394, targeting the WP Alone theme ≤ 7.8.3. The exploit uploads a malicious plugin ZIP via an unauthenticated AJAX endpoint, achieving remote code execution (RCE) through a PHP web shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WP Alone theme ≤ 7.8.3
No auth needed
Prerequisites: Target must have WP Alone theme ≤ 7.8.3 installed · Target must have the vulnerable AJAX endpoint exposed
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Yucaerin · remote
https://github.com/Yucaerin/CVE-2025-5394

This repository contains a functional exploit for CVE-2025-5394, an unauthenticated arbitrary file upload vulnerability in the WordPress Alone Theme <= 7.8.3. The exploit leverages an unprotected AJAX endpoint to install and activate a malicious plugin from a remote URL, leading to remote code execution (RCE).

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WordPress Alone Theme <= 7.8.3
No auth needed
Prerequisites: A malicious plugin ZIP file hosted on a controlled server · Target site running WordPress with the vulnerable Alone Theme
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by qalesyaSN · remote
https://github.com/qalesyaSN/CVE-2025-5394

This repository contains a functional exploit for CVE-2025-5394, which targets a missing authorization vulnerability in the Alone WordPress theme (versions <= 7.8.3). The exploit allows unauthenticated arbitrary file upload via plugin installation, leading to remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Alone – Charity Multipurpose Non-profit WordPress Theme <= 7.8.3
No auth needed
Prerequisites: Target must be running the vulnerable Alone WordPress theme · Attacker must have a direct URL to a malicious shell.zip file
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github WORKING POC
by Boshe99 · pythonpoc
https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2025-5394

The repository contains functional exploit code for CVE-2025-5394, targeting a WordPress plugin (3DPrint Lite 1.9.1.4) with an arbitrary file upload vulnerability. The Python script demonstrates the ability to upload a malicious file to a vulnerable endpoint, confirming the exploit's effectiveness.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WordPress Plugin 3DPrint Lite 1.9.1.4
No auth needed
Prerequisites: Vulnerable WordPress plugin installed · Network access to the target
devstral-2 · analyzed Feb 27, 2026 Full analysis →

Nuclei Templates (1)

Unauthenticated Arbitrary Plugin Upload in Alone Theme
CRITICALVERIFIEDby Nxploited,DhiyaneshDK
FOFA: body="/wp-content/themes/alone/"

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.2184
EPSS Percentile 95.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2025-07-29
CWE
CWE-862
Status published
Products (1)
Bearsthemes/Alone – Charity Multipurpose Non-profit WordPress Theme < 7.8.3
Published Jul 15, 2025
Tracked Since Feb 18, 2026