CVE-2025-2101: 
WordPress vulnerability analysis and mitigation

The Edumall theme for WordPress contains a Local File Inclusion vulnerability (CVE-2025-2101) discovered and disclosed on April 26, 2025. The vulnerability affects all versions up to and including 4.2.4 and is present in the 'edumalllazyload_template' AJAX action through the 'template' parameter. This security issue allows unauthenticated attackers to include and execute arbitrary PHP files on affected servers (NVD, Wiz).

The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and has received a CVSS v3.1 base score of 8.1 HIGH (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). The technical nature of the vulnerability involves the 'template' parameter of the 'edumalllazyload_template' AJAX action, which can be exploited by unauthenticated attackers to include and execute arbitrary PHP files on the server (NVD).

The vulnerability enables attackers to bypass access controls, obtain sensitive data, and achieve code execution in cases where PHP files can be uploaded and included. This allows the execution of any PHP code contained within those files on the affected server, potentially leading to complete system compromise (Wiz).

The vulnerability has been patched in version 4.3.0 of the Edumall theme. Users are strongly advised to update to this version or later to protect against this vulnerability (Theme Changelog).