Description
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution. CVE-2025-54019 is likely a duplicate of this.
Published: 2025-07-15
Score: 9.8 Critical
EPSS: 17.5% Moderate
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerable Alone – Charity Multipurpose Non‑profit WordPress Theme allows arbitrary file uploads because the alone_import_pack_install_plugin() function lacks a capability check. Attackers who are not authenticated can upload ZIP archives that contain malicious code such as webshells. When the archive is processed by the theme, the malicious payload can be executed on the server, giving remote code execution across the affected site.

Affected Systems

All releases of the Bearsthemes Alone – Charity Multipurpose Non‑profit WordPress Theme with version numbers up to and including 7.8.3 are affected. The issue remains in any build that has not yet been updated by the vendor.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, while the EPSS score of 17% suggests a moderate probability of exploitation in the wild. Because the vulnerability can be triggered by an unauthenticated remote attacker who can upload arbitrary files, the attack vector is network‑based and requires only the ability to reach the site’s upload endpoint. The lack of authorization checks aligns with CWE‑862. Although it is not currently listed in the CISA KEV catalog, the high severity and the availability of webshell payloads make it a serious risk for any site still running a vulnerable theme.

Generated by OpenCVE AI on April 21, 2026 at 19:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch by upgrading the Alone theme to the latest released version that fixes the missing capability check.
  • Restrict access to the plugin import functionality by disabling the function or removing the related endpoint until the patch can be applied, ensuring only authenticated administrators can trigger it.
  • Configure a web application firewall or server rules to block ZIP file uploads from users lacking administrative privileges, thereby preventing the upload of malicious archives.

Generated by OpenCVE AI on April 21, 2026 at 19:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution. The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution. CVE-2025-54019 is likely a duplicate of this.

Tue, 15 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00183}

Tue, 15 Jul 2025 04:00:00 +0000

Type Values Removed Values Added
Description The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.
Title Alone – Charity Multipurpose Non-profit WordPress Theme <= 7.8.3 - Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:04:57.436Z

Reserved: 2025-05-30T16:01:34.027Z

Link: CVE-2025-5394

cve-icon Vulnrichment

Updated: 2025-07-15T13:37:55.417Z

cve-icon NVD

Status : Deferred

Published: 2025-07-15T04:15:55.200

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5394

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:45:16Z

Weaknesses