CVE-2025-5394
BaseFortify
Publication date: 2025-07-15
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| alone | charity_multipurpose_non-profit_wordpress_theme | 7.8.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Alone β Charity Multipurpose Non-profit WordPress Theme up to version 7.8.3, where a missing capability check in the alone_import_pack_install_plugin() function allows unauthenticated attackers to upload arbitrary zip files. These zip files can contain webshells disguised as plugins, enabling remote code execution on the affected site.
How can this vulnerability impact me? :
The vulnerability can allow attackers to execute arbitrary code remotely on your WordPress site by uploading malicious plugin files without authentication. This can lead to full site compromise, data theft, defacement, or use of the site for further attacks.