Intrusions leveraging critical WordPress Alone theme RCE underway

BleepingComputer reports that vulnerable WordPress sites using the Alone theme versions 7.8.3 and older are being subjected to ongoing attacks involving the critical unauthenticated flaw, tracked as CVE-2025-5394, which could result in remote code execution and total site hijacking.

More than 120,000 attempted intrusions have already been launched against sites impacted by the security issue, which results from inadequate nonce checks and wp_ajax_nopriv_hook exposure of the Alone theme's 'alone_import_pack_installl_plugin()' function, according to Wordfence. Analysis of the attempted exploitation, which arose from a quartet of IP addresses, revealed the use of the vulnerability to not only facilitate ZIP archive-embedded webshell uploading and password-protected PHP backdoor distribution for persistent RCE but also full-featured file manager injections for full website database compromise, said Wordfence researchers. Immediate patching to Alone v7.8.5 has been recommended. Such a discovery follows reported attacks exploiting a user validation bug in the Motors WordPress theme to enable admin account takeovers.