Description
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.5. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This was partially patched in 7.8.5 and has been fully addresses in 7.8.7.
Published: 2025-07-15
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insufficient file path validation in the alone_import_pack_restore_data() function of the Alone – Charity Multipurpose Non‑profit WordPress Theme through version 7.8.5. The flaw allows arbitrary files on the web server. Deleting critical configuration files such as wp‑config.php can enable an attacker to execute scripts or seize full control of the site, thereby compromising confidentiality, integrity, and availability of the affected application. The weakness is classified as CWE‑73, indicating a lack of proper path sanitization. The CVSS score of 9.1 marks it as Critical severity.

Affected Systems

Bearsthemes published the Alone – Charity Multipurpose Non‑profit WordPress Theme. All installations using versions 7.8.5 or earlier are vulnerable. The fix that validates file paths correctly and blocks unauthorized deletion attempts is fully addressed in version 7.8.7; the status of versions such as 7.8.6 has not been explicitly documented and is therefore unknown.

Risk and Exploitability

The EPSS score is < 1%, indicating a very low but non‑zero exploitation probability. The absence of a KEV listing means there are no confirmed incidents yet reported in the CISA catalog, though the high CVSS indicates a strong potential impact. Attackers would construct a deletion request via the vulnerable function, which requires no authentication and can be triggered from any access point that calls alone_import_pack_restore_data().

Generated by OpenCVE AI on June 18, 2026 at 06:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Alone theme to version 7.8.7 or later.
  • If an upgrade is not possible, restrict access to the import functionality by disabling it in the theme settings or removing the API endpoint, ensuring only authenticated administrators can trigger it.
  • Verify that no uncontrolled file deletion is possible by performing a file integrity check and restricting file upload permissions; monitor logs for attempted delete operations.

Generated by OpenCVE AI on June 18, 2026 at 06:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21417 The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.5. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This was partially patched in 7.8.5 and has been fully addresses in 7.8.7.
Title Alone – Charity Multipurpose Non-profit WordPress Theme <= 7.8.3 - Missing Authorization to Unauthenticated Arbitrary File Deletion Alone – Charity Multipurpose Non-profit WordPress Theme <= 7.8.5 - Missing Authorization to Unauthenticated Arbitrary File Deletion

Tue, 15 Jul 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00257}


Tue, 15 Jul 2025 04:00:00 +0000

Type Values Removed Values Added
Description The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title Alone – Charity Multipurpose Non-profit WordPress Theme <= 7.8.3 - Missing Authorization to Unauthenticated Arbitrary File Deletion
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:43:57.417Z

Reserved: 2025-05-30T15:55:36.748Z

Link: CVE-2025-5393

cve-icon Vulnrichment

Updated: 2025-07-15T13:23:28.561Z

cve-icon NVD

Status : Deferred

Published: 2025-07-15T04:15:46.870

Modified: 2026-06-17T09:47:50.173

Link: CVE-2025-5393

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T06:45:04Z

Weaknesses
  • CWE-73

    External Control of File Name or Path