Hackers actively exploit severe RCE in WordPress By myself theme
Digital forensics
Risk actors are actively exploiting a severe unauthenticated arbitrary file add vulnerability within the WordPress theme ‘By myself,’ to attain remote code execution and make a elephantine establish of abode takeover.
Wordfence is reporting the malicious project, asserting it has blocked over 120,000 exploitation attempts focused on its prospects.
The WordPress security firm also stories that the assaults started so a lot of days earlier than public disclosure of the flaw, indicating that possibility actors are monitoring changelogs and patches to see trivially exploitable complications earlier than indicators are despatched to web establish of abode owners.
The vulnerability, tracked under CVE-2025-5394, impacts all versions of By myself up to 7.8.3. The vendor, Bearsthemes, fastened it in By myself model 7.8.5, launched on June 16, 2025.
The disaster stems from the theme’s ‘alone_import_pack_install_plugin()’ aim, which lacks nonce assessments and is exposed by the wp_ajax_nopriv_ hook.
The aim permits plugin set up by AJAX, and accepts a remote provide URL within the POST records, enabling unauthenticated users to dwelling off plugin installations from remote URLs.
In step with Wordfence, attackers leverage the flaw to be able to add webshells inner ZIP archives, deploy password-safe PHP backdoors that allow chronic remote characterize execution by HTTP requests, or salvage hidden administrator users.
In some cases, the attackers even set up elephantine-featured file managers that give them total control over the positioning’s databases.
Given the above, signs of compromise consist of the look of newest admin users, suspicious ZIP/plugin folders, and requests to ‘admin-ajax.php?action=alone_import_pack_install_plugin.’
Wordfence logged tens of hundreds of exploitation attempts from the IP addresses 193.84.71.244, 87.120.92.24, 146.19.213.18, and 2a0b:4141:820:752::2, so these ought to be blocked straight.
Volume of exploitation attempts against By myself-powered web sites Offer: Wordfence
By myself is a top charge theme with virtually 10,000 sales on the Envato market, primarily extinct by non-earnings comparable to charities, NGOs, fundraising organizations, and social organizations.
Although Wordfence submitted a document to Bearsthemes as early as Might presumably presumably also unprejudiced 30, 2025, they didn’t hear support, so they escalated the disaster to the Envato team on June 12.
Four days later, the seller launched a fastened model of By myself, v7.8.5, which is the suggested update target for all users.
Closing month, any other top charge WordPress theme, Motors, became once centered by hackers who exploited a particular person validation flaw to hijack administrator accounts on susceptible web sites.
CISOs know that getting board aquire-in begins with a transparent, strategic look of how cloud security drives change payment.
This free, editable board document deck helps security leaders gift possibility, affect, and priorities in certain change terms. Turn security updates into fundamental conversations and quicker decision-making within the boardroom.
