Risk actors are actively exploiting the “single” crucial unauthenticated arbitrary file add vulnerability in WordPress themes to allow distant code execution and full website takeover.
WordFence reported malicious exercise and mentioned it blocked greater than 120,000 makes an attempt to take advantage of the corporate focused at its prospects.
The WordPress safety firm additionally reported that the assault began just a few days earlier than the publication of the grievance, indicating that risk actors are monitoring changelogs and patches to find minor, exploitable points earlier than alerts are despatched to the web site proprietor.
Vulnerabilities tracked in CVE-2025-5394 have an effect on all variations alone as much as 7.8.3. Vendor Bearsthemes fastened it in model 7.8.5, launched on June 16, 2025.
The issue comes from the theme “alone_import_pack_install_plugin()”.
This operate permits the set up of plugins by means of AJAX, accepting distant supply URLs in POST information, permitting unauthenticated customers to set off plugins set up from the distant URL.
In accordance with WordFence, attackers can leverage Flaw to add internet shells inside ZIP Archives, deploy password-protected PHP backdoors that permit persistent distant command execution by way of HTTP requests, or create hidden admin customers.
In some instances, an attacker installs a full-featured file supervisor that gives full management over the location’s database.
Given the above, indicators of compromise embody the looks of the brand new admin person, the suspicious zip/plugin folder, and a request to “admin-ajax.php?motion=alone_import_pack_install_plugin”.
Wordfence recorded tens of 1000’s of exploitation makes an attempt from IP addresses 193.84.71.244, 87.120.92.24, 146.19.213.18, and 2A0b:4141:820:752 ::2, and due to this fact these must be blocked instantly.
Supply: Wordfence
Solely, it’s a premium theme with round 10,000 gross sales within the Enbato market, which is primarily utilized by nonprofit organizations resembling charities, NGOs, fundraising organizations, and social organizations.
Wordfence submitted a report back to Bearsthemes as early as Might 30, 2025, however they didn’t reply, and on June 12, the problem escalated to the Envato staff.
4 days later, the seller launched its fastened model v7.8.5 by itself. That is the really helpful replace goal for all customers.
Final month, Motors, one other premium WordPress theme, was focused by hackers who exploited a flaw in person verification to hijack an administrator account on a weak web site.
