Description
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.5. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This was partially patched in 7.8.5 and has been fully addresses in 7.8.7.
Published: 2025-07-15
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Unauthenticated File Deletion
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from insufficient file path validation in the alone_import_pack_restore_data() function of the Alone – Charity Multipurpose Non‑profit WordPress Theme through version 7.8.5. The flaw allows any unauthenticated user to request deletion of arbitrary files on the web server. Deleting critical configuration files such as wp‑config.php can enable an attacker to execute scripts or seize full control of the site, thereby compromising confidentiality, integrity, and availability of the affected application. The weakness is classified as CWE‑73, indicating a lack of proper path sanitization. The CVSS score of 9.1 marks it as Critical severity.

Affected Systems

Bearsthemes published the Alone – Charity Multipurpose Non‑profit WordPress Theme. All installations using versions 7.8.5 or earlier are vulnerable. Versions 7.8.6 and 7.8.7 contain the fix that validates file paths correctly and blocks unauthorized deletion attempts.

Risk and Exploitability

The EPSS score is below 1%, suggesting a small but non‑zero chance of exploitation in the wild at present. The absence of a KEV listing means there are no confirmed incidents yet reported in the CISA catalog, though the high CVSS indicates a strong potential impact. Attackers would simply need to construct a deletion request via the vulnerable function, which requires no authentication and can be triggered from any access point that calls alone_import_pack_restore_data().

Generated by OpenCVE AI on April 22, 2026 at 17:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the theme to version 7.8.7 or later, where the file‑path validation bug is fully patched.
  • If an upgrade is temporarily infeasible, restrict web access to the file‑deletion endpoint by implementing role‑based access controls or enforcing local network isolation for theme administration functions.
  • Immediately back up the entire WordPress installation, including wp‑config.php and other sensitive files, and verify that no unauthorized deletions have occurred before continuing any mitigations.

Generated by OpenCVE AI on April 22, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21417 The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.5. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This was partially patched in 7.8.5 and has been fully addresses in 7.8.7.
Title Alone – Charity Multipurpose Non-profit WordPress Theme <= 7.8.3 - Missing Authorization to Unauthenticated Arbitrary File Deletion Alone – Charity Multipurpose Non-profit WordPress Theme <= 7.8.5 - Missing Authorization to Unauthenticated Arbitrary File Deletion

Tue, 15 Jul 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00257}

Tue, 15 Jul 2025 04:00:00 +0000

Type Values Removed Values Added
Description The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title Alone – Charity Multipurpose Non-profit WordPress Theme <= 7.8.3 - Missing Authorization to Unauthenticated Arbitrary File Deletion
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:43:57.417Z

Reserved: 2025-05-30T15:55:36.748Z

Link: CVE-2025-5393

cve-icon Vulnrichment

Updated: 2025-07-15T13:23:28.561Z

cve-icon NVD

Status : Deferred

Published: 2025-07-15T04:15:46.870

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5393

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:15:22Z

Weaknesses