CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
The Alone - Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution. CVE-2025-54019 is likely a duplicate of this.
AnalysisAI
Remote code execution via arbitrary plugin upload in Alone - Charity Multipurpose Non-profit WordPress Theme up to version 7.8.3 allows unauthenticated attackers to upload malicious zip files containing webshells through the alone_import_pack_install_plugin() function, achieving complete server compromise. This critical vulnerability (CVSS 9.8) stems from missing capability checks, enabling attackers to bypass all authentication requirements. No public exploit identified at time of analysis, though the attack is technically straightforward given the unauthenticated attack vector and low complexity (AC:L).
Technical ContextAI
This vulnerability exploits a missing authorization check (CWE-862) in the alone_import_pack_install_plugin() function within the Alone theme's plugin installation mechanism. WordPress themes should enforce capability checks using WordPress's built-in functions like current_user_can() to verify administrative privileges before allowing file uploads or plugin installations. The vulnerable function accepts zip file uploads from remote locations without validating user permissions, allowing arbitrary file upload to the WordPress plugins directory. Since WordPress executes PHP files in the plugins directory, attackers can package a webshell as a plugin ZIP archive and upload it directly through this endpoint. The lack of authentication requirement (PR:N in CVSS vector) combined with network accessibility (AV:N) makes this a pre-authentication remote code execution vulnerability, the most severe category of WordPress theme flaws.
Affected ProductsAI
Alone - Charity Multipurpose Non-profit WordPress Theme versions 7.8.3 and earlier are affected by this vulnerability. The theme is distributed through ThemeForest marketplace under item ID 15019939. All WordPress installations running any version of this theme up to and including 7.8.3 should be considered compromised or at immediate risk. The vulnerability affects the core theme functionality related to plugin installation and is not dependent on specific WordPress core versions, though it requires the theme to be active and accessible.
RemediationAI
Immediately update to Alone theme version 7.8.4 or later if available from ThemeForest or the theme vendor. Check the ThemeForest item page at https://themeforest.net/item/alone-charity-multipurpose-nonprofit-wordpress-theme/15019939 for the latest patched release. If a patched version is not available, implement emergency mitigation by completely deactivating and removing the Alone theme, switching to a trusted alternative WordPress theme until vendor remediation is confirmed. Review WordPress access logs for suspicious POST requests to alone_import_pack_install_plugin or unexpected plugin installations, and conduct forensic investigation if compromise is suspected. Consult Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/86f91589-b309-49aa-8b04-ca972acaf8fb for updated remediation guidance. Organizations using this theme should implement web application firewall rules blocking access to the vulnerable function endpoint as a temporary measure.
Share
External POC / Exploit Code
Leaving vuln.today