CVE-2025-5396
Published: 17 July 2025
Summary
CVE-2025-5396 is a critical-severity Code Injection (CWE-94) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The Bears Backup plugin for WordPress is vulnerable to remote code execution in all versions through 2.0.0. The flaw stems from the bbackup_ajax_handle() function, which lacks any capability check and passes unsanitized user input directly to call_user_func(), enabling arbitrary function invocation. The issue is tracked as CWE-94 and carries a CVSS 3.1 score of 9.8.
Unauthenticated attackers can exploit the vulnerability over the network to run arbitrary code on the server. Successful exploitation allows actions such as injecting backdoors or creating new administrative accounts. On sites using the Alone theme at version 7.8.4 or earlier, the flaw can be chained with CVE-2025-5394 to first install Bears Backup and then achieve the same level of access.
The EPSS score remains flat at 0.0178 with no material increase after disclosure. Public references point to Wordfence threat intelligence and the Alone theme listing on ThemeForest, though no specific patch or mitigation details are provided in the available data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21756
Vulnerability details
The Bears Backup plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.0. This is due to the bbackup_ajax_handle() function not having a capability check, nor validating user supplied input passed directly to…
more
call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leverage to inject backdoors or create new administrative user accounts to name a few things. On WordPress sites running the Alone theme versions 7.8.4 and older, this can be chained with CVE-2025-5394 to install the Bears Backup plugin and achieve the same impact.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE in publicly exposed WordPress plugin via missing auth/input validation in AJAX handler.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the code injection flaw in the bbackup_ajax_handle() function of the Bears Backup plugin by requiring identification, reporting, and correction of the vulnerability.
Requires validation of user-supplied input before passing it to call_user_func(), preventing arbitrary code execution by unauthenticated attackers.
Enforces capability checks and access authorizations on the bbackup_ajax_handle() AJAX function to block unauthenticated remote access.