VDB

CVE-2025-5394

CVE-2025-5394 PUBLISHED CVSS 9.800000190734863 CRITICAL

The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.

EPSS 21.84% · 95.9th percentile

Risk Scores

CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
21.84%
95.9th percentile

Affected Products

VendorProductVersions
BearsthemesAlone – Charity Multipurpose Non-profit WordPress Theme*

Timeline

  • Jul 15, 2025 EPSS Score
  • Jul 15, 2025 Coalition ESS Score
  • Jul 15, 2025 CVE Published
  • Jul 30, 2025 Coalition ESS Score
  • Jul 30, 2025 PoC Published
  • Jul 31, 2025 PoC Published
  • Jul 31, 2025 PoC Published
  • Jul 31, 2025 PoC Published
  • Jul 31, 2025 PoC Published
  • Jul 31, 2025 PoC Published
  • Aug 1, 2025 PoC Published
  • Aug 3, 2025 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›