Overview

• Wordfence has logged and blocked 120,900 exploitation attempts of CVE-2025-5394 as of July 31, signaling ongoing attacker campaigns.
• The flaw stems from missing nonce checks in the alone_import_pack_install_plugin() function and affects all theme versions up to 7.8.3, which was patched on June 16.
• Attackers began exploiting the vulnerability on July 12, two days before its public disclosure, to upload webshells and PHP backdoors for remote code execution.
• Compromised sites exhibit rogue administrator accounts, unauthorized plugin folders and full-featured file managers, with suspicious admin-ajax.php requests as key indicators.
• Nearly 10,000 non-profit and charity sites using the premium Alone theme face elevated risk, underscoring the urgency of proactive threat monitoring.