Cyber Resilience

CVE-2025-5393

Critical

Published: 15 July 2025

Published
15 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0180 83.2th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-5393 is a critical-severity External Control of File Name or Path (CWE-73) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The Alone – Charity Multipurpose Non-profit WordPress Theme for WordPress is affected by CVE-2025-5393, an arbitrary file deletion vulnerability caused by insufficient file path validation in the alone_import_pack_restore_data() function. The flaw impacts all versions through 7.8.5, was only partially addressed in that release, and received a complete fix in 7.8.7. The issue carries a CVSS 3.1 score of 9.1 and is tracked under CWE-73.

Unauthenticated remote attackers can invoke the vulnerable function to delete arbitrary files on the underlying server. Deletion of critical files such as wp-config.php can immediately enable remote code execution and full site compromise.

The Wordfence advisory and the theme listing on ThemeForest both direct administrators to update to version 7.8.7 or newer; no other workarounds are specified. The associated EPSS score has remained flat at 0.0180 with no material increase since disclosure.

EU & UK References

Vulnerability details

The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.5. This makes it possible for…

more

unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This was partially patched in 7.8.5 and has been fully addresses in 7.8.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Direct unauthenticated remote exploitation of public-facing WordPress component (T1190) via path validation flaw enabling arbitrary file deletion (T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-26360Shared CWE-73
CVE-2026-40370Shared CWE-73
CVE-2025-10134Shared CWE-73
CVE-2025-65115Shared CWE-73
CVE-2026-32749Shared CWE-73
CVE-2026-28442Shared CWE-73
CVE-2025-65473Shared CWE-73
CVE-2025-12529Shared CWE-73
CVE-2020-37080Shared CWE-73
CVE-2025-10494Shared CWE-73

Affected Assets

Themeforest
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely identification, reporting, and patching of the flawed alone_import_pack_restore_data() function in the Alone WordPress theme to version 7.8.7 or later.

prevent

Addresses the root cause of insufficient file path validation by enforcing validation of all inputs to the vulnerable function, preventing arbitrary file paths from enabling deletions.

preventdetect

Provides boundary protection via web application firewalls or similar controls to monitor and block unauthenticated remote exploitation attempts targeting the vulnerable import function.

References