Madara – Responsive and modern WordPress theme for manga sites < 2.2.2.1 – Unauthenticated Local File Inclusion | CVE 2025-4524 | Theme Vulnerabilities

Description

The Madara – Responsive and modern WordPress theme for manga sites theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.2 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Affects Themes

Fixed in 2.2.2.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a3ee01da-218a-421d-8f9c-1dc6c056ef74

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Kyle Bouchard (ptrstr)

Verified

No

WPVDB ID

eca3a4b0-cd3c-4a49-8e4b-f1738afc7bb7

Timeline

Publicly Published

2025-05-20 (about 10 months ago)

Added

2025-05-20 (about 10 months ago)

Last Updated

2025-05-21 (about 10 months ago)

Other

Published

Title

Published

2025-01-23

Title

Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget < 1.7 - Authenticated (Contributor+) Local File Inclusion via post_type_ajax_handler()

Published

2026-01-06

Title

Yoco Payments < 3.9.1 - Unauthenticated Arbitrary File Read

Published

2023-11-20

Title

CataBlog <= 1.7.0 - Authenticated (Editor+) Arbitrary File Deletion

Published

2024-04-22

Title

Sendinblue for WooCommerce < 4.0.18 - Authenticated (Editor+) Arbitrary File Download and Deletion

Published

2022-01-31

Title

Essential Addons for Elementor < 5.0.5 - Unauthenticated LFI