Cyber Resilience

CVE-2025-5396

CriticalRCE

Published: 17 July 2025

Published
17 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0178 83.1th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-5396 is a critical-severity Code Injection (CWE-94) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The Bears Backup plugin for WordPress is vulnerable to remote code execution in all versions through 2.0.0. The flaw stems from the bbackup_ajax_handle() function, which lacks any capability check and passes unsanitized user input directly to call_user_func(), enabling arbitrary function invocation. The issue is tracked as CWE-94 and carries a CVSS 3.1 score of 9.8.

Unauthenticated attackers can exploit the vulnerability over the network to run arbitrary code on the server. Successful exploitation allows actions such as injecting backdoors or creating new administrative accounts. On sites using the Alone theme at version 7.8.4 or earlier, the flaw can be chained with CVE-2025-5394 to first install Bears Backup and then achieve the same level of access.

The EPSS score remains flat at 0.0178 with no material increase after disclosure. Public references point to Wordfence threat intelligence and the Alone theme listing on ThemeForest, though no specific patch or mitigation details are provided in the available data.

EU & UK References

Vulnerability details

The Bears Backup plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.0. This is due to the bbackup_ajax_handle() function not having a capability check, nor validating user supplied input passed directly to…

more

call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leverage to inject backdoors or create new administrative user accounts to name a few things. On WordPress sites running the Alone theme versions 7.8.4 and older, this can be chained with CVE-2025-5394 to install the Bears Backup plugin and achieve the same impact.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated RCE in publicly exposed WordPress plugin via missing auth/input validation in AJAX handler.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-13773Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2026-30643Shared CWE-94
CVE-2026-30460Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2024-13792Shared CWE-94
CVE-2020-37052Shared CWE-94
CVE-2026-42555Shared CWE-94
CVE-2025-65037Shared CWE-94

Affected Assets

Themeforest
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the code injection flaw in the bbackup_ajax_handle() function of the Bears Backup plugin by requiring identification, reporting, and correction of the vulnerability.

prevent

Requires validation of user-supplied input before passing it to call_user_func(), preventing arbitrary code execution by unauthenticated attackers.

prevent

Enforces capability checks and access authorizations on the bbackup_ajax_handle() AJAX function to block unauthenticated remote access.

References