**Name of the Vulnerable Software and Affected Versions**

Alone – Charity Multipurpose Non-profit WordPress Theme versions 7.8.3 and earlier

**Description**

The Alone WordPress theme contains a critical vulnerability that allows unauthenticated attackers to upload malicious files, potentially leading to remote code execution. The vulnerability resides in the `alone import pack install plugin()` function, which lacks proper capability checks. Attackers can upload arbitrary files, such as PHP webshells disguised as plugins, from remote locations. Over 120,900 exploit attempts have been observed since July 14th. Successful exploitation can result in full site compromise.

**Recommendations**

Alone – Charity Multipurpose Non-profit WordPress Theme versions prior to 7.8.4

Update to version 7.8.5 or later.