{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5393", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-30T15:55:36.748Z", "datePublished": "2025-07-15T03:43:22.575Z", "dateUpdated": "2026-04-08T16:43:57.417Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:57.417Z"}, "affected": [{"vendor": "Bearsthemes", "product": "Alone \u2013 Charity Multipurpose Non-profit WordPress Theme", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.8.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Alone \u2013 Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.5. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This was partially patched in 7.8.5 and has been fully addresses in 7.8.7."}], "title": "Alone \u2013 Charity Multipurpose Non-profit WordPress Theme <= 7.8.5 - Missing Authorization to Unauthenticated Arbitrary File Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2cb1b526-0df6-42a1-9294-90bc61730209?source=cve"}, {"url": "https://themeforest.net/item/alone-charity-multipurpose-nonprofit-wordpress-theme/15019939"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-73 External Control of File Name or Path", "cweId": "CWE-73", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Th\u00e1i An"}], "timeline": [{"time": "2025-07-14T15:24:20.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-15T13:23:26.100057Z", "id": "CVE-2025-5393", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-15T19:48:30.175Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5393", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-15T13:23:26.100057Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-15T13:23:28.561Z"}}], "cna": {"title": "Alone \u2013 Charity Multipurpose Non-profit WordPress Theme <= 7.8.5 - Missing Authorization to Unauthenticated Arbitrary File Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Th\u00e1i An"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.1, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"}}], "affected": [{"vendor": "Bearsthemes", "product": "Alone \u2013 Charity Multipurpose Non-profit WordPress Theme", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "7.8.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-14T15:24:20.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2cb1b526-0df6-42a1-9294-90bc61730209?source=cve"}, {"url": "https://themeforest.net/item/alone-charity-multipurpose-nonprofit-wordpress-theme/15019939"}], "descriptions": [{"lang": "en", "value": "The Alone \u2013 Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.5. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This was partially patched in 7.8.5 and has been fully addresses in 7.8.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:57.417Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5393", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:43:57.417Z", "dateReserved": "2025-05-30T15:55:36.748Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-15T03:43:22.575Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Alone \u2013 Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.5. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This was partially patched in 7.8.5 and has been fully addresses in 7.8.7."}, {"lang": "es", "value": "El tema Alone \u2013 Charity Multipurpose Non-profit WordPress Theme de WordPress para organizaciones ben\u00e9ficas sin \u00e1nimo de lucro es vulnerable a la eliminaci\u00f3n arbitraria de archivos debido a una validaci\u00f3n insuficiente de la ruta de archivo en la funci\u00f3n alone_import_pack_restore_data() en todas las versiones hasta la 7.8.3 incluida. Esto permite que atacantes no autenticados eliminen archivos arbitrarios en el servidor, lo que puede provocar f\u00e1cilmente la ejecuci\u00f3n remota de c\u00f3digo al eliminar el archivo correcto (como wp-config.php)."}], "id": "CVE-2025-5393", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-15T04:15:46.870", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/alone-charity-multipurpose-nonprofit-wordpress-theme/15019939"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2cb1b526-0df6-42a1-9294-90bc61730209?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:06:30.336021+00:00", "value": {"mitigation_remediation": ["Upgrade the theme to version 7.8.7 or later, where the file\u2011path validation bug is fully patched.", "If an upgrade is temporarily infeasible, restrict web access to the file\u2011deletion endpoint by implementing role\u2011based access controls or enforcing local network isolation for theme administration functions.", "Immediately back up the entire WordPress installation, including wp\u2011config.php and other sensitive files, and verify that no unauthorized deletions have occurred before continuing any mitigations."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via Unauthenticated File Deletion"}, "threat_synthesis": {"affected_systems": "Bearsthemes published the Alone \u2013 Charity Multipurpose Non\u2011profit WordPress Theme. All installations using versions 7.8.5 or earlier are vulnerable. Versions 7.8.6 and 7.8.7 contain the fix that validates file paths correctly and blocks unauthorized deletion attempts.", "description_and_impact": "The vulnerability arises from insufficient file path validation in the alone_import_pack_restore_data() function of the Alone \u2013 Charity Multipurpose Non\u2011profit WordPress Theme through version 7.8.5. The flaw allows any unauthenticated user to request deletion of arbitrary files on the web server. Deleting critical configuration files such as wp\u2011config.php can enable an attacker to execute scripts or seize full control of the site, thereby compromising confidentiality, integrity, and availability of the affected application. The weakness is classified as CWE\u201173, indicating a lack of proper path sanitization. The CVSS score of 9.1 marks it as Critical severity.", "risk_and_exploitability": "The EPSS score is below 1%, suggesting a small but non\u2011zero chance of exploitation in the wild at present. The absence of a KEV listing means there are no confirmed incidents yet reported in the CISA catalog, though the high CVSS indicates a strong potential impact. Attackers would simply need to construct a deletion request via the vulnerable function, which requires no authentication and can be triggered from any access point that calls alone_import_pack_restore_data()."}}}}, "created": "2026-04-22T17:15:22.198303+00:00", "updated": "2026-04-22T17:15:22.198320+00:00", "vendors": []}