CVE-2025-5393
Published: 15 July 2025
Summary
CVE-2025-5393 is a critical-severity External Control of File Name or Path (CWE-73) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely identification, reporting, and patching of the flawed alone_import_pack_restore_data() function in the Alone WordPress theme to version 7.8.7 or later.
Addresses the root cause of insufficient file path validation by enforcing validation of all inputs to the vulnerable function, preventing arbitrary file paths from enabling deletions.
Provides boundary protection via web application firewalls or similar controls to monitor and block unauthenticated remote exploitation attempts targeting the vulnerable import function.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote exploitation of public-facing WordPress component (T1190) via path validation flaw enabling arbitrary file deletion (T1485).
NVD Description
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.5. This makes it possible for…
more
unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This was partially patched in 7.8.5 and has been fully addresses in 7.8.7.
Deeper analysisAI
CVE-2025-5393 is a high-severity vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) affecting the Alone – Charity Multipurpose Non-profit WordPress Theme for WordPress. It stems from insufficient file path validation in the alone_import_pack_restore_data() function, enabling arbitrary file deletion in all versions up to and including 7.8.5. This flaw, mapped to CWE-73, was publicly disclosed on 2025-07-15.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By targeting the flawed function, they can delete arbitrary files on the server, potentially leading to remote code execution—for instance, by deleting critical files like wp-config.php to disrupt site integrity and enable further compromise.
The vulnerability was partially patched in version 7.8.5 and fully addressed in 7.8.7. Security practitioners should urge users of the Alone theme to update to 7.8.7 or later. Additional details are available in the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/2cb1b526-0df6-42a1-9294-90bc61730209?source=cve and the theme's ThemeForest page at https://themeforest.net/item/alone-charity-multipurpose-nonprofit-wordpress-theme/15019939.
Details
- CWE(s)