Cybersecurity

The “Alone – Charity Multipurpose Non-profit WordPress Theme”, a commercial theme used in many WordPress websites, contained a critical vulnerability that allowed threat actors to completely take over the website, experts have warned.

The WordPress theme, designed for charities, Non-governmental organization NGOs, and fundraising campaigns, features more than 40 ready-to-use demos, donation integration, and compatibility with Elementor and WPBakery.

Ongoing Issue

Wordfence researchers claim exploitation started on July 12, two days before the vulnerability was publicly disclosed. So far, the company blocked more than 120,000 exploitation attempts from almost a dozen different IP addresses.

In the attacks, the threat actors try to upload a ZIP archive with a PHP-based backdoor that grants them remote code execution capabilities, as well as the ability to upload arbitrary files. Crooks also used the flaw to deliver backdoors that can create additional admin accounts.

All versions up to 7.8.3 contained a vulnerability that permitted threat actors to upload arbitrary files, including malware that can make admin accounts. This is known as privilege escalation which occurs when an attacker exploits vulnerabilities to gain higher levels of access within a system or network than they were initially authorized for. This often involves moving from a standard user account to an administrator or root-level account. 

Using this method, crooks can take over websites and use them to host other malware, redirect visitors to other malicious pages, serve phishing landing pages, and more.

The vulnerability is now monitored as CVE-2025-4394, and has a severity score of 9.8/10 (critical). It was addressed in version 7.8.5, which was released on June 16, 2025. If you are using this theme, it would be wise to update it as soon as possible, since the bug is being actively exploited in the wild.

According to Themetix, around 200 active WordPress sites are running this theme today.