Description
The Edumall theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.2.4 via the 'template' parameter of the 'edumall_lazy_load_template' AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included.
Published: 2025-04-26
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Edumall, a WordPress theme used to build LMS environments, contains a local file inclusion flaw in all releases up to and including 4.2.4. The vulnerability is exercised through the template parameter of the edumall_lazy_load_template AJAX action. An unauthenticated attacker can supply a path to any PHP file on the server; that file is then included and executed in the context of the web server. The result is that an attacker can run arbitrary PHP code, bypass existing access controls, read protected data, or leverage file uploads to achieve full code execution.

Affected Systems

The affected product is ThemeMove’s Edumall Professional LMS Education Center WordPress Theme, versions 4.2.4 and earlier. Any WordPress site that uses one of these theme releases and has not yet applied the fix is at risk.

Risk and Exploitability

The flaw has a CVSS score of 8.1 and an EPSS of less than 1%, indicating high severity but a low present exploitation probability. The vulnerability is not listed in CISA KEV. Attackers exploit the weakness by sending a crafted AJAX request to the site, so the vector is via public web traffic to the edumall_lazy_load_template endpoint, allowing unauthenticated local file inclusion that can lead to remote code execution.

Generated by OpenCVE AI on April 21, 2026 at 21:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Edumall theme to the latest release (any version newer than 4.2.4) that removes the LFI vulnerability.
  • If an upgrade is not immediately possible, temporarily block the edumall_lazy_load_template AJAX endpoint by adding a firewall rule or modifying the theme’s code to require authentication, or replace it with a custom function that only accepts a whitelist of safe template names.
  • Validate the template parameter rigorously: reject paths containing directory traversal characters or any absolute location, and configure the web server to prevent PHP execution from directories that could contain user‑supplied files.

Generated by OpenCVE AI on April 21, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12486 The Edumall theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.2.4 via the 'template' parameter of the 'edumall_lazy_load_template' AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included.
History

Mon, 28 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 26 Apr 2025 08:30:00 +0000

Type Values Removed Values Added
Description The Edumall theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.2.4 via the 'template' parameter of the 'edumall_lazy_load_template' AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included.
Title Edumall <= 4.2.4 - Unauthenticated Local File Inclusion
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:02:19.375Z

Reserved: 2025-03-07T18:42:57.689Z

Link: CVE-2025-2101

cve-icon Vulnrichment

Updated: 2025-04-28T13:39:46.194Z

cve-icon NVD

Status : Deferred

Published: 2025-04-26T09:15:19.440

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2101

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:15:45Z

Weaknesses