VDB
CVE-2025-5394
CVE-2025-5394
PUBLISHED
CVSS 9.800000190734863 CRITICAL
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.
EPSS 21.84% · 95.9th percentile
Risk Scores
CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
21.84%
95.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bearsthemes | Alone – Charity Multipurpose Non-profit WordPress Theme | * |
Timeline
- Jul 15, 2025 EPSS Score
- Jul 15, 2025 Coalition ESS Score
- Jul 15, 2025 CVE Published
- Jul 30, 2025 Coalition ESS Score
- Jul 30, 2025 PoC Published
- Jul 31, 2025 PoC Published
- Jul 31, 2025 PoC Published
- Jul 31, 2025 PoC Published
- Jul 31, 2025 PoC Published
- Jul 31, 2025 PoC Published
- Aug 1, 2025 PoC Published
- Aug 3, 2025 EPSS Score