CVE-2025-4524

CRITICAL NUCLEI

Madara WordPress <2.2.2 - Local File Inclusion

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2025-4524. PoCs published by Beatriz Fresno Naumova, iSee857, ptrstr. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a Local File Inclusion (LFI) vulnerability in the WordPress Madara theme by manipulating the 'template' parameter in an AJAX request to read arbitrary files (e.g., /etc/passwd). The attack leverages path traversal via 'plugins/../../../../../../../' to bypass intended restrictions.

Description

The Madara – Responsive and modern WordPress theme for manga sites theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.2 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Exploits (3)

exploitdb WORKING POC
by Beatriz Fresno Naumova · textwebappsmultiple
https://www.exploit-db.com/exploits/52487

This exploit demonstrates a Local File Inclusion (LFI) vulnerability in the WordPress Madara theme by manipulating the 'template' parameter in an AJAX request to read arbitrary files (e.g., /etc/passwd). The attack leverages path traversal via 'plugins/../../../../../../../' to bypass intended restrictions.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: WordPress Madara Theme (version not specified)
No auth needed
Prerequisites: WordPress with Madara theme installed · Access to /wp-admin/admin-ajax.php endpoint
devstral-2 · analyzed May 10, 2026 Full analysis →
github WORKING POC 40 stars
by iSee857 · pythonpoc
https://github.com/iSee857/CVE-PoC/tree/main/WordPress_Madara-CVE-2025-4524-LFI.py

The repository contains functional exploit code for multiple CVEs, including CVE-2026-22812, which demonstrates a command execution vulnerability in OpenCode. The PoC sends crafted requests to exploit the vulnerability and verify command execution via the 'id' command.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: OpenCode (version not specified)
No auth needed
Prerequisites: Network access to the target · OpenCode service running on the target
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by ptrstr · poc
https://github.com/ptrstr/CVE-2025-4524

This repository contains a functional PoC for CVE-2025-4524, an unauthenticated Local File Inclusion (LFI) vulnerability in the Madara WordPress theme. The exploit leverages the `madara_load_more` action to include arbitrary files via path traversal or remote URLs if `allow_url_include` is enabled, potentially leading to RCE.

Classification
Working Poc 95%
Attack Type
Info Leak | Rce
Complexity
Moderate
Reliability
Reliable
Target: Madara WordPress theme (version not specified)
No auth needed
Prerequisites: Target must be using the Madara WordPress theme · Path traversal or remote file inclusion must be feasible
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WordPress Madara Theme < 2.2.2.1 - Local File Inclusion
HIGHVERIFIEDby 0x_Akoko
Shodan: http.html:"/wp-content/themes/madara/"
FOFA: body="/wp-content/themes/madara/"

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.0909
EPSS Percentile 94.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-22
Status published
Products (1)
WPStylish/Madara – Responsive and modern WordPress theme for manga sites < 2.2.2
Published May 21, 2025
Tracked Since Feb 18, 2026