Unrated severityNVD Advisory· Published Jun 26, 2025· Updated Nov 29, 2025

WeiPHP Path Traversal Arbitrary File Read

CVE-2025-34045

Description

A path traversal vulnerability exists in WeiPHP 5.0, an open source WeChat public account platform development framework by Shenzhen Yuanmengyun Technology Co., Ltd. The flaw occurs in the picUrl parameter of the /public/index.php/material/Material/_download_imgage endpoint, where insufficient input validation allows unauthenticated remote attackers to perform directory traversal via crafted POST requests. This enables arbitrary file read on the server, potentially exposing sensitive information such as configuration files and source code. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.

Affected products

WeiPHP/WeiPHPllm-fuzzy
Range: = 5.0
Shenzhen Yuanmengyun Technology Co., Ltd./WeiPHPv5
Range: 5.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/projectdiscovery/nuclei-templates/blob/main/http/cnvd/2020/CNVD-2020-68596.yamlmitreexploit
vulncheck.com/advisories/weiphp-path-traversal-file-readmitrethird-party-advisory
www.cnvd.org.cn/flaw/show/CNVD-2020-68596mitrethird-party-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.022
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000