Skip to main content
CVE-2025-5394 CRITICAL POC THREAT Emergency

Remote code execution via arbitrary plugin upload in Alone - Charity Multipurpose Non-profit WordPress Theme up to version 7.8.3 allows unauthenticated attackers to upload malicious zip files containing webshells through the alone_import_pack_install_plugin() function, achieving complete server compromise. This critical vulnerability (CVSS 9.8) stems from missing capability checks, enabling attackers to bypass all authentication requirements. No public exploit identified at time of analysis, though the attack is technically straightforward given the unauthenticated attack vector and low complexity (AC:L).

Authentication Bypass WordPress RCE
NVD
CVSS 3.1
9.8
EPSS
15.5%
CVE-2025-7340 CRITICAL PATCH Act Now

Unauthenticated remote code execution in HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks plugin (all versions ≤2.2.1) allows attackers to upload arbitrary files to the WordPress server. Missing file type validation in temp_file_upload() function enables unrestricted file uploads, permitting execution of malicious scripts. Critical severity (CVSS 9.8) due to network-accessible attack vector requiring no authentication or user interaction. No public exploit identified at time of analysis.

RCE WordPress File Upload Download Contact Form 7 Widget For Elementor Page Builder Gutenberg Blocks Elementor
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2025-7360 CRITICAL PATCH Act Now

Arbitrary file movement in HT Contact Form Widget for Elementor & Gutenberg (WordPress plugin) allows unanatuhenticated remote attackers to relocate server files including wp-config.php, enabling remote code execution. Affects all versions through 2.2.1. Vulnerability stems from insufficient path validation in handle_files_upload() function. No public exploit identified at time of analysis, low observed exploitation activity.

Path Traversal WordPress RCE PHP Download Contact Form 7 Widget For Elementor Page Builder Gutenberg Blocks +1
NVD
CVSS 3.1
9.1
EPSS
1.3%
CVE-2025-7341 CRITICAL PATCH Act Now

Arbitrary file deletion in HT Contact Form Widget For Elementor (WordPress plugin) allows unanetworks attackers to remove critical server files, enabling remote code execution. Affecting all versions through 2.2.1, the vulnerability stems from insufficient path validation in temp_file_delete(), permitting deletion of wp-config.php or other essential files. CVSS 9.1 (Critical) with network attack vector, low complexity, and no authentication required. Vendor patch available (changeset 3326887). No public exploit identified at time of analysis, though the attack path is straightforward for skilled adversaries.

WordPress Privilege Escalation RCE PHP Download Contact Form 7 Widget For Elementor Page Builder Gutenberg Blocks +1
NVD
CVSS 3.1
9.1
EPSS
0.8%
CVE-2025-5393 CRITICAL Act Now

Unauthenticated arbitrary file deletion in Alone WordPress theme versions ≤7.8.5 enables remote attackers to achieve code execution by deleting critical files like wp-config.php. The vulnerability stems from insufficient path validation in the alone_import_pack_restore_data() function, exploitable over the network with low complexity and no user interaction required. Partial fix released in version 7.8.5; fully addressed in version 7.8.7. EPSS data and KEV status not provided in available intelligence, but the unauthenticated remote attack vector and direct path to RCE represent critical risk for sites running affected versions.

WordPress RCE PHP
NVD
CVSS 3.1
9.1
EPSS
0.9%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy