{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5394", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-30T16:01:34.027Z", "datePublished": "2025-07-15T03:43:23.137Z", "dateUpdated": "2026-04-08T17:04:57.436Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:57.436Z"}, "affected": [{"vendor": "Bearsthemes", "product": "Alone \u2013 Charity Multipurpose Non-profit WordPress Theme", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.8.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Alone \u2013 Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution. CVE-2025-54019 is likely a duplicate of this."}], "title": "Alone \u2013 Charity Multipurpose Non-profit WordPress Theme <= 7.8.3 - Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/86f91589-b309-49aa-8b04-ca972acaf8fb?source=cve"}, {"url": "https://themeforest.net/item/alone-charity-multipurpose-nonprofit-wordpress-theme/15019939"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Th\u00e1i An"}], "timeline": [{"time": "2025-07-14T15:24:17.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-15T13:37:44.871111Z", "id": "CVE-2025-5394", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-15T13:37:59.232Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5394", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-15T13:37:44.871111Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-15T13:37:55.417Z"}}], "cna": {"title": "Alone \u2013 Charity Multipurpose Non-profit WordPress Theme <= 7.8.3 - Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation", "credits": [{"lang": "en", "type": "finder", "value": "Th\u00e1i An"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "Bearsthemes", "product": "Alone \u2013 Charity Multipurpose Non-profit WordPress Theme", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "7.8.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-14T15:24:17.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/86f91589-b309-49aa-8b04-ca972acaf8fb?source=cve"}, {"url": "https://themeforest.net/item/alone-charity-multipurpose-nonprofit-wordpress-theme/15019939"}], "descriptions": [{"lang": "en", "value": "The Alone \u2013 Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-07-15T03:43:23.137Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5394", "state": "PUBLISHED", "dateUpdated": "2025-07-15T13:37:59.232Z", "dateReserved": "2025-05-30T16:01:34.027Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-15T03:43:23.137Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Alone \u2013 Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution. CVE-2025-54019 is likely a duplicate of this."}, {"lang": "es", "value": "El tema Alone \u2013 Charity Multipurpose Non-profit WordPress Theme para WordPress sin fines de lucro y caritativo es vulnerable a la carga de archivos arbitrarios debido a la falta de una comprobaci\u00f3n de capacidad en la funci\u00f3n alone_import_pack_install_plugin() en todas las versiones hasta la 7.8.3 incluida. Esto permite que atacantes no autenticados carguen archivos zip con webshells camuflados en complementos desde ubicaciones remotas para ejecutar c\u00f3digo remoto."}], "id": "CVE-2025-5394", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-15T04:15:55.200", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/alone-charity-multipurpose-nonprofit-wordpress-theme/15019939"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/86f91589-b309-49aa-8b04-ca972acaf8fb?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"created": "2026-04-21T19:45:16.081372+00:00", "updated": "2026-05-11T17:45:26.345336+00:00", "vendors": []}