CVE-2025-5396 is a critical remote code execution (RCE) vulnerability affecting the Bears Backup plugin for WordPress, maintained by Bearsthemes. This vulnerability exists in all versions up to and including 2.0.0. The root cause is improper control of code generation (CWE-94) due to the bbackup_ajax_handle() function lacking both capability checks and validation of user-supplied input. Specifically, this function directly passes unvalidated input to PHP's call_user_func(), enabling unauthenticated attackers to execute arbitrary code on the server hosting the WordPress site. Exploitation can lead to severe consequences such as injecting persistent backdoors, creating new administrative users, or executing arbitrary commands, effectively compromising the confidentiality, integrity, and availability of the affected system. Additionally, on WordPress sites running the Alone theme versions 7.8.4 and older, this vulnerability can be chained with CVE-2025-5394 to first install the Bears Backup plugin and then exploit it, broadening the attack surface and impact. The vulnerability has a CVSS v3.1 base score of 9.8, reflecting its critical severity, with attack vector being network-based, no privileges or user interaction required, and full impact on confidentiality, integrity, and availability. No patches or fixes are currently listed, indicating that affected sites remain vulnerable until an update is released or mitigations are applied.

For European organizations, this vulnerability poses a significant threat, especially those relying on WordPress for their web presence and using the Bears Backup plugin. Successful exploitation can lead to full system compromise, data breaches involving sensitive customer or business data, defacement of websites, and disruption of services. The ability to create administrative accounts or install backdoors can facilitate persistent access for attackers, enabling further lateral movement or data exfiltration. This is particularly critical for sectors such as finance, healthcare, government, and e-commerce, where data confidentiality and service availability are paramount and regulated under GDPR and other compliance frameworks. The lack of authentication and user interaction requirements means that attackers can remotely exploit this vulnerability at scale, increasing the risk of widespread attacks across European organizations. Furthermore, the chaining possibility with the Alone theme vulnerability increases the attack vectors, potentially impacting sites that do not initially have the Bears Backup plugin installed but use the vulnerable theme.

Given the absence of an official patch, European organizations should immediately audit their WordPress installations for the presence of the Bears Backup plugin and the Alone theme (versions 7.8.4 and older). If found, the plugin should be disabled or removed until a secure update is available. Restricting access to the WordPress admin AJAX endpoint (admin-ajax.php) via web application firewalls (WAFs) or IP whitelisting can help mitigate exploitation attempts by blocking unauthorized requests to the vulnerable function. Implementing strict input validation and capability checks at the application level, if custom development resources are available, can serve as a temporary safeguard. Monitoring web server and WordPress logs for unusual or unauthorized AJAX requests can aid in early detection of exploitation attempts. Organizations should also ensure that their WordPress core, themes, and plugins are kept up to date and consider deploying runtime application self-protection (RASP) solutions to detect and block malicious code execution. Finally, regular backups and incident response plans should be reviewed and tested to prepare for potential compromise scenarios.