CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
The Alone - Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.5. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This was partially patched in 7.8.5 and has been fully addresses in 7.8.7.
AnalysisAI
Unauthenticated arbitrary file deletion in Alone WordPress theme versions ≤7.8.5 enables remote attackers to achieve code execution by deleting critical files like wp-config.php. The vulnerability stems from insufficient path validation in the alone_import_pack_restore_data() function, exploitable over the network with low complexity and no user interaction required. Partial fix released in version 7.8.5; fully addressed in version 7.8.7. EPSS data and KEV status not provided in available intelligence, but the unauthenticated remote attack vector and direct path to RCE represent critical risk for sites running affected versions.
Technical ContextAI
This vulnerability exploits CWE-73 (External Control of File Name or Path) in a WordPress theme's data import/restore functionality. The alone_import_pack_restore_data() function fails to properly validate or sanitize file paths provided by user input, allowing path traversal attacks. In PHP-based WordPress environments, attackers can manipulate file path parameters to reference arbitrary filesystem locations using directory traversal sequences (../) or absolute paths. Deleting wp-config.php, which contains database credentials and authentication salts, forces WordPress into its installation routine, enabling attackers to reconfigure the site and execute arbitrary PHP code. The ThemeForest marketplace distribution model means vulnerable installations may persist longer than typical WordPress.org-hosted themes due to manual update processes.
Affected ProductsAI
The Alone - Charity Multipurpose Non-profit WordPress Theme, a commercial theme distributed through ThemeForest, is affected in all versions up to and including 7.8.5. Version 7.8.5 contains a partial patch that did not fully address the vulnerability. The theme is designed for charity and nonprofit organization websites running on WordPress. Complete vendor information and security advisories are available through Wordfence Threat Intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/2cb1b526-0df6-42a1-9294-90bc61730209 and the theme's ThemeForest marketplace page at https://themeforest.net/item/alone-charity-multipurpose-nonprofit-wordpress-theme/15019939.
RemediationAI
Immediately upgrade to Alone theme version 7.8.7 or later, which contains the complete fix for this vulnerability. Version 7.8.5 provided only partial mitigation and should not be considered secure. Site administrators should download the latest version from their ThemeForest account dashboard and replace the existing theme files via WordPress admin panel or FTP. After patching, review server logs for suspicious requests to import/restore endpoints and verify filesystem integrity, particularly checking for unexpected modifications to wp-config.php or other critical WordPress core files. If immediate patching is not feasible, temporarily disable the theme and switch to a default WordPress theme, or implement web application firewall rules blocking requests to alone_import_pack_restore_data function endpoints. Consult the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/2cb1b526-0df6-42a1-9294-90bc61730209 for additional technical details and indicators of compromise.
Share
External POC / Exploit Code
Leaving vuln.today