CVE-2025-5394
CRITICALCVSS v3
9.8
CRITICAL
EPSS Score
17.5%
exploit probability
CISA KEV
No
known exploited
Exploitation
—
SSVC status
Description
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution. CVE-2025-54019 is likely a duplicate of this.
Technical Details
- CVSS v3 Vector
- 3.1
- Published
- 7/15/2025
- Last Modified
- 4/15/2026
Frequently Asked Questions
What is CVE-2025-5394?
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution. CVE-2025-54019 is likely a duplicate of this.
Is CVE-2025-5394 actively exploited?
Active exploitation of CVE-2025-5394 has not been confirmed. The EPSS score is 17.5%, indicating the estimated probability of exploitation in the next 30 days.
What is the CVSS score for CVE-2025-5394?
CVE-2025-5394 has a CVSS v3 base score of 9.8 (CRITICAL severity), with vector string 3.1.
Is CVE-2025-5394 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.