A critical security flaw in the WordPress theme ‘Alone’ is being actively exploited by hackers to take full control of websites, according to a report from WordPress security firm Wordfence.
The vulnerability allows attackers to upload malicious files without authentication, giving them the ability to run code remotely and completely compromise affected sites.
Wordfence says it has already blocked more than 120,000 attempts to exploit the flaw across its network. Even more concerning, the attacks began several days before the vulnerability was publicly disclosed, suggesting hackers are keeping a close eye on changelogs and updates to spot weaknesses before website owners are alerted.
The vulnerability is tracked as CVE-2025-5394 and affects all versions of the Alone theme up to v7.8.3. The theme’s developer, Bearsthemes, patched the issue in version 7.8.5, which was released on June 16, 2025.
At the root of the problem is a function called alone_import_pack_install_plugin(), which is exposed to unauthenticated users through an AJAX hook. This function doesn’t include basic security checks and allows users to send plugin install requests from external URLs — opening the door for attackers to upload webshells and backdoors.
Wordfence warns that once attackers gain access, they often install password-protected PHP backdoors or even full-featured file managers. These tools let them execute commands remotely, manage files, create hidden admin users, and interact directly with site databases.
Warning signs of a compromised site include:
- New, unauthorized admin accounts
- Suspicious ZIP/plugin folders
- Traffic to
admin-ajax.php?action=alone_import_pack_install_plugin
Wordfence has identified several IP addresses involved in the attacks and recommends blocking the following immediately:
193.84.71.24487.120.92.24146.19.213.182a0b:4141:820:752::2
The Alone theme is sold through the Envato Market and has been purchased nearly 10,000 times, mostly by charities, NGOs, and other non-profits. Despite being alerted to the issue by Wordfence on May 30, Bearsthemes didn’t respond, prompting Wordfence to escalate the report to Envato on June 12. The fix came just four days later.
This latest incident comes on the heels of a similar attack targeting the popular WordPress theme Motors, where hackers took advantage of a user validation flaw to hijack admin accounts.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
If your website uses the Alone theme, updating to version 7.8.5 immediately is strongly recommended. Ignoring this fix could leave your site exposed to serious security risks and potential data loss.
