By admin 
- Alone – Charity Multipurpose Non-revenue WordPress Theme has a 9.8/10 flaw
- The bug permits crooks to create rogue admin accounts
- Greater than 120,000 takeover makes an attempt already blocked
The “Alone – Charity Multipurpose Non-revenue WordPress Theme”, a business theme utilized in many WordPress web sites, contained a critical vulnerability that allowed risk actors to utterly take over the web site, specialists have warned.
The WordPress theme, designed for charities, NGOs, and fundraising campaigns, options greater than 40 prepared-to-use demos, donation integration, and compatibility with Elementor and WPBakery.
In accordance with Themetix, round 200 energetic WordPress sites are operating this theme right now.
Ongoing assaults
Wordfence researchers declare exploitation began on July 12, two days earlier than the vulnerability was publicly disclosed. To date, the corporate blocked greater than 120,000 exploitation makes an attempt from virtually a dozen totally different IP addresses.
Within the assaults, the risk actors attempt to add a ZIP archive with a PHP-based mostly backdoor that grants them distant code execution capabilities, in addition to the power to add arbitrary recordsdata. Crooks additionally used the flaw to ship backdoors that may create further admin accounts.
All variations as much as 7.8.3 contained a vulnerability that allowed risk actors to add arbitrary recordsdata, together with malware that may create admin accounts. That means, crooks can utterly take over web sites and use them to host different malware, redirect guests to different malicious pages, serve phishing touchdown pages, and extra.
The vulnerability is now tracked as CVE-2025-4394, and has a severity rating of 9.8/10 (critical). It was addressed in model 7.8.5, which was launched on June 16, 2025. If you’re utilizing this theme, it could be sensible to replace it as quickly as attainable, because the bug is being actively exploited within the wild.
WordPress is mostly thought-about a secure web site builder platform, however third-celebration themes and plugins – not a lot. That’s the reason safety professionals advise WordPress customers to solely maintain the plugins and themes they actively use, and to ensure they’re all the time updated.
Through The Hacker News