Hackers Seize WordPress Sites via Theme File Flaw

Hackers are actively exploiting a critical vulnerability in the popular WordPress theme “Alone – Charity Multipurpose Non-profit” to gain control of websites. The flaw, identified as CVE-2025-5394, holds a severity rating of 9.8 on the CVSS scale. Threat actors are using it to upload arbitrary files, allowing them to install unauthorized plugins and seize full control. As a result, multiple attacks have been observed where hackers seize WordPress sites through remote plugin installations.

The vulnerability stems from flawed input validation in the theme’s file upload function, according to security firm Wordfence. Researchers confirmed that attackers can bypass standard restrictions by submitting specially crafted requests. Once inside, they deploy malicious code to maintain persistent access. Wordfence credited security researcher Thái An with discovering and reporting the issue. Cybercriminals have already begun targeting unpatched sites as part of their campaigns. Experts recommend disabling the vulnerable component or applying security patches immediately as hackers seize WordPress sites at scale.

https://thehackernews.com/2025/07/hackers-exploit-critical-wordpress.html