CVE-2025-5396 is a critical remote code execution vulnerability classified under CWE-94 (Improper Control of Generation of Code) found in the Bears Backup plugin for WordPress. The root cause is the bbackup_ajax_handle() function, which does not perform capability checks nor validate user-supplied input before passing it directly to PHP's call_user_func() function. This flaw allows unauthenticated attackers to invoke arbitrary PHP functions remotely, leading to arbitrary code execution on the hosting server. The vulnerability affects all versions of Bears Backup up to and including 2.0.0. Exploitation can enable attackers to inject backdoors, create new administrative users, or perform other malicious actions with full server privileges. Additionally, on WordPress sites using the Alone theme versions 7.8.4 and older, this vulnerability can be chained with CVE-2025-5394 to first install the Bears Backup plugin and then exploit it, broadening the attack surface. The vulnerability was publicly disclosed on July 17, 2025, with a CVSS v3.1 score of 9.8, indicating critical severity. No patches or official fixes have been linked yet, and no active exploitation has been reported, but the ease of exploitation and impact make it a high-risk threat for WordPress sites using the affected plugin.

The impact of CVE-2025-5396 is severe for organizations running WordPress sites with the Bears Backup plugin. Successful exploitation results in full remote code execution without requiring authentication or user interaction, allowing attackers to gain complete control over the affected web server. This can lead to unauthorized data access, data modification, defacement, installation of persistent backdoors, lateral movement within internal networks, and creation of new administrative accounts to maintain long-term access. For organizations relying on WordPress for critical business operations, this could result in significant data breaches, service disruptions, reputational damage, and regulatory penalties. The ability to chain this vulnerability with CVE-2025-5394 on sites using the Alone theme further expands the potential attack surface, increasing risk for a broader set of targets. Given the widespread use of WordPress globally, the threat could affect a large number of websites, especially those that do not regularly update plugins or monitor for vulnerabilities.

To mitigate CVE-2025-5396, organizations should immediately audit their WordPress installations for the presence of the Bears Backup plugin and verify the version in use. Since no official patch links are currently available, temporary mitigations include disabling or uninstalling the Bears Backup plugin until a secure version is released. Restricting access to the WordPress admin AJAX endpoint (admin-ajax.php) via web application firewalls (WAFs) or IP whitelisting can reduce exposure to unauthenticated requests exploiting this vulnerability. Implementing strict input validation and capability checks in custom plugin code is recommended for developers to prevent similar issues. Monitoring web server logs for suspicious calls to bbackup_ajax_handle() or unexpected use of call_user_func() can help detect exploitation attempts. Additionally, organizations using the Alone theme version 7.8.4 or older should update or patch it to prevent chaining attacks. Regular backups and incident response plans should be in place to recover quickly if compromise occurs. Finally, maintain vigilance for official patches or updates from Bearsthemes and apply them promptly once available.