- Alone – The non -profit non -profit WordPress theme of charity has a fault of 9.8/10
- The bug allows crooks to create voyeus administration accounts
- More than 120,000 attempts at buyback already blocked
The “only non -profit non -profit WordPress theme”, a commercial theme used in many WordPress websites, contained a critical vulnerability that allowed threat actors to fully take control of the website, the experts warned.
The WordPress theme, designed for charitable organizations, NGOs and fundraising campaigns, offers more than 40 ready -to -use demos, donation integration and compatibility with Elementor and WPBAKERY.
According to Themetix, around 200 active WordPress sites are running this theme today.
Current attacks
The researchers of Wordfency claim that the exploitation began on July 12, two days before vulnerability was publicly disclosed. Until now, the company has blocked more than 120,000 operating attempts from almost a dozen different IP addresses.
In attacks, threat actors try to download a ZIP archive with a PHP -based stolen door which grants them distant code execution capacities, as well as the possibility of downloading arbitrary files. Crooks also used the fault to deliver derivations that can create additional administration accounts.
All versions up to 7.8.3 contained a vulnerability that allowed threat stakeholders to download arbitrary files, including malware that can create administration accounts. In this way, crooks can completely resume websites and use them to house other malicious software, redirect visitors to other malicious pages, serve phishing destination pages, etc.
Vulnerability is now followed under the name of CVE-2025-4394 and has a 9.8 / 10 (critical) gravity score. It was treated in version 7.8.5, which was published on June 16, 2025. If you use this theme, it would be wise to update it as soon as possible, because the bug is actively exploited in nature.
WordPress is generally considered to be a secure websites platform, but third -party themes and plugins – not so much. This is why security pros advise WordPress users to keep only the plugins and themes they actively use and to make sure they are always up to date.
Via The Hacker News
