CVE-2025-5393
Published: 15 July 2025
Summary
CVE-2025-5393 is a critical-severity External Control of File Name or Path (CWE-73) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The Alone – Charity Multipurpose Non-profit WordPress Theme for WordPress is affected by CVE-2025-5393, an arbitrary file deletion vulnerability caused by insufficient file path validation in the alone_import_pack_restore_data() function. The flaw impacts all versions through 7.8.5, was only partially addressed in that release, and received a complete fix in 7.8.7. The issue carries a CVSS 3.1 score of 9.1 and is tracked under CWE-73.
Unauthenticated remote attackers can invoke the vulnerable function to delete arbitrary files on the underlying server. Deletion of critical files such as wp-config.php can immediately enable remote code execution and full site compromise.
The Wordfence advisory and the theme listing on ThemeForest both direct administrators to update to version 7.8.7 or newer; no other workarounds are specified. The associated EPSS score has remained flat at 0.0180 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21417
Vulnerability details
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.5. This makes it possible for…
more
unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This was partially patched in 7.8.5 and has been fully addresses in 7.8.7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote exploitation of public-facing WordPress component (T1190) via path validation flaw enabling arbitrary file deletion (T1485).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by requiring timely identification, reporting, and patching of the flawed alone_import_pack_restore_data() function in the Alone WordPress theme to version 7.8.7 or later.
Addresses the root cause of insufficient file path validation by enforcing validation of all inputs to the vulnerable function, preventing arbitrary file paths from enabling deletions.
Provides boundary protection via web application firewalls or similar controls to monitor and block unauthenticated remote exploitation attempts targeting the vulnerable import function.