CVE-2025-46347

YesWiki is a wiki system written in PHP. Prior to version 4.5.4, YesWiki vulnerable to remote code execution. An arbitrary file write can be used to write a file with a PHP extension, which then can be browsed to in order to execute arbitrary code on the server, resulting in a full compromise of the server. This could potentially be performed unwittingly by a user. This issue has been patched in version 4.5.4.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/YesWiki/yeswiki/commit/8fe5275a78dc7e0f9c242baa3cbac6b5ac1cc066	Patch
https://github.com/YesWiki/yeswiki/security/advisories/GHSA-88xg-v53p-fpvf	Exploit Vendor Advisory
https://github.com/YesWiki/yeswiki/security/advisories/GHSA-88xg-v53p-fpvf	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:yeswiki:yeswiki:*:*:*:*:*:*:*:*

History

09 May 2025, 13:56

Type	Values Removed	Values Added
References	~~() https://github.com/YesWiki/yeswiki/commit/8fe5275a78dc7e0f9c242baa3cbac6b5ac1cc066 -~~	() https://github.com/YesWiki/yeswiki/commit/8fe5275a78dc7e0f9c242baa3cbac6b5ac1cc066 - Patch
References	~~() https://github.com/YesWiki/yeswiki/security/advisories/GHSA-88xg-v53p-fpvf -~~	() https://github.com/YesWiki/yeswiki/security/advisories/GHSA-88xg-v53p-fpvf - Exploit, Vendor Advisory
CPE		cpe:2.3:a:yeswiki:yeswiki::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Yeswiki Yeswiki yeswiki

02 May 2025, 13:53

Type	Values Removed	Values Added
Summary		(es) YesWiki es un sistema wiki escrito en PHP. Antes de la versión 4.5.4, YesWiki era vulnerable a la ejecución remota de código. Una escritura arbitraria en un archivo podía utilizarse para escribir un archivo con extensión PHP, que luego se podía explorar para ejecutar código arbitrario en el servidor, lo que resultaba en una vulnerabilidad total del servidor. Esto podría ser realizado inadvertidamente por un usuario. Este problema se ha corregido en la versión 4.5.4.

29 Apr 2025, 19:15

Type	Values Removed	Values Added
References	~~() https://github.com/YesWiki/yeswiki/security/advisories/GHSA-88xg-v53p-fpvf -~~	() https://github.com/YesWiki/yeswiki/security/advisories/GHSA-88xg-v53p-fpvf -

29 Apr 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-29 18:15

Updated : 2025-05-09 13:56

NVD link : CVE-2025-46347

Mitre link : CVE-2025-46347

CVE.ORG link : CVE-2025-46347

JSON object : View

Products Affected

yeswiki

yeswiki

CWE

CWE-116

Improper Encoding or Escaping of Output

9.8 /10