Threat actors are actively exploiting a critical security flaw in “Alone Charity Multipurpose Non-profit WordPress Theme” to take over susceptible sites. The vulnerability, tracked as CVE-2025-5394, carries a CVSS score of 9.8. Security researcher Thi An has been credited with discovering and reporting the bug. According to Wordfence, the shortcoming relates to an arbitrary file upload