Description
The Madara – Responsive and modern WordPress theme for manga sites theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.2 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Published: 2025-05-21
Score: 9.8 Critical
EPSS: 3.7% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Madara WordPress theme is vulnerable to Local File Inclusion in all releases up to 2.2.2 through manipulation of the template parameter. An unauthenticated attacker can supply an arbitrary file path, causing the server to include and execute its contents as PHP code. This allows bypassing of normal access controls, the theft of sensitive data, or full server compromise if the attacker can upload or reference PHP files.

Affected Systems

The vulnerability affects the WPStylish Madara theme for WordPress, with all versions 2.2.2 and earlier at risk. No other products or vendors are listed as impacted.

Risk and Exploitability

The CVSS score of 9.8 indicates high severity, and the EPSS of 4% suggests a moderate probability of exploitation. The vulnerability is not in CISA's KEV catalog. The likely attack vector is remote via the web interface; an attacker only needs to craft a request containing a malicious template value to trigger inclusion, with no authentication required. If the site allows uploading of PHP or other executable files, the attacker may also reference those to achieve arbitrary code execution.

Generated by OpenCVE AI on April 20, 2026 at 22:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Madara theme to the latest version where the LFI issue is fixed.
  • If upgrading immediately is not possible, disable or rename the template parameter endpoint, or configure the web server to deny access to theme template files.
  • Deploy a web application firewall rule that blocks requests containing directory traversal sequences or references to local files.
  • Enforce strict file‑upload restrictions: disallow PHP and executable files in upload directories and enable automatic sanitization of uploaded content.

Generated by OpenCVE AI on April 20, 2026 at 22:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15990 The Madara – Responsive and modern WordPress theme for manga sites theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.2 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
EUVD EUVD EUVD-2025-15991 The Madara – Responsive and modern WordPress theme for manga sites theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.2 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
History

Wed, 21 May 2025 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 21 May 2025 06:45:00 +0000

Type Values Removed Values Added
Description The Madara – Responsive and modern WordPress theme for manga sites theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.2 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Title Madara – Responsive and modern WordPress theme for manga sites <= 2.2.2 - Unauthenticated Local File Inclusion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:12:54.895Z

Reserved: 2025-05-10T00:09:23.478Z

Link: CVE-2025-4524

cve-icon Vulnrichment

Updated: 2025-05-21T10:14:28.134Z

cve-icon NVD

Status : Deferred

Published: 2025-05-21T07:16:01.220

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4524

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:00:14Z

Weaknesses