Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Beplusthemes Alone alone allows Code Injection.This issue affects Alone: from n/a through < 7.8.5.
Published: 2025-08-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in Beplusthemes Alone results from improper control of code generation, allowing an attacker to inject and run arbitrary code on a WordPress site. An attacker who successfully exploits this weakness could execute malicious scripts, fully compromise the application, and potentially extend access to the underlying server or database. The weakness is classified as CWE-94: Improper Control of Generation of Code.

Affected Systems

Any installation of the Alone theme from Beplusthemes that is running a version below 7.8.5 is affected. The vulnerability spans the entire theme component, meaning all sites using the theme without updating to the 7.8.5 release or later remain vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate to high risk, but the EPSS score of less than 1% suggests a very low probability of exploitation in the wild, and the issue is not listed in the CISA KEV catalog. The attack vector is not explicitly detailed in the description; based on the nature of code injection it is inferred that an attacker would need to supply unsanitized input to a theme hook via form submissions or query parameters. Although public exploitation is unlikely, a successful attack would lead to full compromise of the site and possibly the server.

Generated by OpenCVE AI on April 30, 2026 at 08:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Alone to version 7.8.5 or later to replace the vulnerable code paths.
  • If an upgrade cannot be applied immediately, disable or remove the theme to prevent execution of malicious code through its hooks.
  • Scan the site’s file system and database for injected code patterns that may have been introduced by this vulnerability and delete any malicious content found.
  • Monitor server and application logs for signs of unauthorized code execution or abnormal activity and be ready to roll back to a known clean backup if compromise is detected.

Generated by OpenCVE AI on April 30, 2026 at 08:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28547 Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone allows Code Injection. This issue affects Alone: from n/a through n/a.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone allows Code Injection. This issue affects Alone: from n/a through n/a. Improper Control of Generation of Code ('Code Injection') vulnerability in Beplusthemes Alone alone allows Code Injection.This issue affects Alone: from n/a through < 7.8.5.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L'}

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone allows Code Injection. This issue affects Alone: from n/a through n/a.
Title WordPress Alone < 7.8.5 - Arbitrary Code Execution Vulnerability
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-13T00:05:36.392Z

Reserved: 2025-07-16T08:51:37.993Z

Link: CVE-2025-54019

cve-icon Vulnrichment

Updated: 2025-08-20T13:55:09.444Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:45.863

Modified: 2026-04-23T15:32:42.777

Link: CVE-2025-54019

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:45:16Z

Weaknesses