CVE-2025-5396
Published: 17 July 2025
Summary
CVE-2025-5396 is a critical-severity Code Injection (CWE-94) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the code injection flaw in the bbackup_ajax_handle() function of the Bears Backup plugin by requiring identification, reporting, and correction of the vulnerability.
Requires validation of user-supplied input before passing it to call_user_func(), preventing arbitrary code execution by unauthenticated attackers.
Enforces capability checks and access authorizations on the bbackup_ajax_handle() AJAX function to block unauthenticated remote access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE in publicly exposed WordPress plugin via missing auth/input validation in AJAX handler.
NVD Description
The Bears Backup plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.0. This is due to the bbackup_ajax_handle() function not having a capability check, nor validating user supplied input passed directly to…
more
call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leverage to inject backdoors or create new administrative user accounts to name a few things. On WordPress sites running the Alone theme versions 7.8.4 and older, this can be chained with CVE-2025-5394 to install the Bears Backup plugin and achieve the same impact.
Deeper analysisAI
CVE-2025-5396 is a remote code execution vulnerability in the Bears Backup plugin for WordPress, affecting all versions up to and including 2.0.0. The flaw arises in the bbackup_ajax_handle() function, which performs no capability checks and fails to validate user-supplied input before passing it directly to call_user_func(), enabling arbitrary code execution on the server. Published on 2025-07-17, it carries a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-94 (Code Injection).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation allows code execution on the server, which can be used to inject backdoors, create new administrative user accounts, or perform other malicious actions. On WordPress sites running the Alone theme in versions 7.8.4 and older, attackers can chain this with CVE-2025-5394 to first install the Bears Backup plugin and achieve the same remote code execution impact.
Advisories and further details are provided by Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/81b44abb-6d30-4930-b68b-9a04d93f5169?source=cve, with the Alone theme referenced on ThemeForest at https://themeforest.net/item/alone-charity-multipurpose-nonprofit-wordpress-theme/15019939.
Details
- CWE(s)