- Alone – Charity Multipurpose Non-profit WordPress Theme has a 9.8/10 flaw
- The bug permits crooks to create rogue admin accounts
- Greater than 120,000 takeover makes an attempt already blocked
The “Alone – Charity Multipurpose Non-profit WordPress Theme”, a business theme utilized in many WordPress web sites, contained a crucial vulnerability that allowed risk actors to utterly take over the web site, specialists have warned.
The WordPress theme, designed for charities, NGOs, and fundraising campaigns, options greater than 40 ready-to-use demos, donation integration, and compatibility with Elementor and WPBakery.
Based on Themetix, round 200 lively WordPress websites are working this theme right now.
Ongoing assaults
Wordfence researchers declare exploitation began on July 12, two days earlier than the vulnerability was publicly disclosed. To this point, the corporate blocked greater than 120,000 exploitation makes an attempt from nearly a dozen completely different IP addresses.
Within the assaults, the risk actors attempt to add a ZIP archive with a PHP-based backdoor that grants them distant code execution capabilities, in addition to the power to add arbitrary information. Crooks additionally used the flaw to ship backdoors that may create extra admin accounts.
All variations as much as 7.8.3 contained a vulnerability that allowed risk actors to add arbitrary information, together with malware that may create admin accounts. That method, crooks can utterly take over web sites and use them to host different malware, redirect guests to different malicious pages, serve phishing touchdown pages, and extra.
The vulnerability is now tracked as CVE-2025-4394, and has a severity rating of 9.8/10 (crucial). It was addressed in model 7.8.5, which was launched on June 16, 2025. In case you are utilizing this theme, it will be smart to replace it as quickly as potential, for the reason that bug is being actively exploited within the wild.
WordPress is usually thought-about a protected web site builder platform, however third-party themes and plugins – not a lot. That’s the reason safety professionals advise WordPress customers to solely hold the plugins and themes they actively use, and to ensure they’re all the time updated.
By way of The Hacker Information
