CVE-2025-4524: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in WPStylish Madara – Responsive and modern WordPress theme for manga sites
The Madara – Responsive and modern WordPress theme for manga sites theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.2 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
AI Analysis
Technical Summary
The Madara WordPress theme (versions up to 2.2.2) contains a Local File Inclusion vulnerability via the 'template' parameter, which improperly limits pathname access. This flaw allows unauthenticated attackers to include arbitrary files, potentially executing PHP code on the server. The vulnerability is categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and poses a critical risk due to its ability to bypass access controls and compromise server security. The CVSS 3.1 base score is 9.8, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No patch or official fix details are currently available, and the product is not a cloud service.
Potential Impact
Successful exploitation can lead to remote code execution on the server hosting the vulnerable WordPress theme, allowing attackers to bypass access controls, access sensitive information, and disrupt service availability. The vulnerability affects confidentiality, integrity, and availability at a critical level. There are no known exploits in the wild reported yet.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, it is recommended to restrict access to the vulnerable parameter if possible, disable or remove the Madara theme if not in use, and monitor for suspicious activity related to file inclusion attempts. Avoid uploading untrusted files to the server. Follow updates from WPStylish for any released patches or official mitigations.
CVE-2025-4524: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in WPStylish Madara – Responsive and modern WordPress theme for manga sites
Description
The Madara – Responsive and modern WordPress theme for manga sites theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.2 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Madara WordPress theme (versions up to 2.2.2) contains a Local File Inclusion vulnerability via the 'template' parameter, which improperly limits pathname access. This flaw allows unauthenticated attackers to include arbitrary files, potentially executing PHP code on the server. The vulnerability is categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and poses a critical risk due to its ability to bypass access controls and compromise server security. The CVSS 3.1 base score is 9.8, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No patch or official fix details are currently available, and the product is not a cloud service.
Potential Impact
Successful exploitation can lead to remote code execution on the server hosting the vulnerable WordPress theme, allowing attackers to bypass access controls, access sensitive information, and disrupt service availability. The vulnerability affects confidentiality, integrity, and availability at a critical level. There are no known exploits in the wild reported yet.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, it is recommended to restrict access to the vulnerable parameter if possible, disable or remove the Madara theme if not in use, and monitor for suspicious activity related to file inclusion attempts. Avoid uploading untrusted files to the server. Follow updates from WPStylish for any released patches or official mitigations.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-05-10T00:09:23.478Z
- Cisa Enriched
- false
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d76fed4f2164cc9244ecb
Added to database: 5/21/2025, 6:47:26 AM
Last enriched: 4/30/2026, 1:56:09 AM
Last updated: 5/8/2026, 9:22:51 PM
Views: 73
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.