CVE-2025-4524 - Unauthenticated madara-core Wordpress theme LFI

WordFence link

Description

A vulnerability lies in madara’s madara_load_more action, where a template parameter is arbitrary data from the user and passed to PHP’s include function.

Vulnerability

A vulnerability lies in madara’s madara_load_more action, where a template parameter is arbitrary data from the user and passed to PHP’s include function.

The vulnerable code is as follows:

add_action( 'wp_ajax_madara_load_more', array( $this, 'ajax_load_next_page' ) );
add_action( 'wp_ajax_nopriv_madara_load_more', array( $this, 'ajax_load_next_page' ) );

...

function ajax_load_next_page() {
  ...
  
  if ( $query->have_posts() ) {
    while ( $query->have_posts() ) {
      $query->the_post();
      $madara_loop_index ++;
      set_query_var( 'madara_loop_index', $madara_loop_index );
      
      if ( $madara_loop_index < $posts_per_page + 1 ) {
        if ( ( strpos( $template, 'plugins' ) !== false ) ) {
          include( $template ); // we are in wp-content\themes\madara\app\{plugins} VULN
        } else {
          //$post_format = get_post_format() ? get_post_format : '';
          get_template_part( $template, get_post_format() );
        }
      }
    }

    if ( $query->post_count <= $posts_per_page ) {
      // there are no more posts
      // print a flag to detect
      echo '<div class="invi no-posts"><!-- --></div>';
    }
  } else {
    // no posts found
  }

  /* Restore original Post Data */
  wp_reset_postdata();
  die( '' );
}

On each successful query of madara_load_more, the template passed in by template will be rendered with the result. If the string plugins is seen in the template parameter, the input is passed as is to include, while if it is not present, Wordpress will find the template.

Read more →

PunkBuster LPI (CVE-2025-47810)

Screenshot

Background

PunkBuster installs itself as two services, and an optional? kernel driver.

  • PnkBstrA: Service that runs constantly in the background, and in charge of managing PunkBuster as a whole
  • PnkBstrB: Service that starts when a protected game starts. Comes with more functionality than its A counterpart.

Both services are structured in a similar way, listening for UDP on localhost on a port in the range [44301, 44400]. Once it finds a port, it is written in the Port value in HKLM:\SOFTWARE\Even Balance\PnkBstrA or HKLM:\SOFTWARE\WOW6432Node\Even Balance\PnkBstrA.

Read more →