High severityNVD Advisory· Published Apr 29, 2025· Updated Apr 29, 2025
YesWiki Remote Code Execution via Arbitrary PHP File Write and Execution
CVE-2025-46347
Description
YesWiki is a wiki system written in PHP. Prior to version 4.5.4, YesWiki vulnerable to remote code execution. An arbitrary file write can be used to write a file with a PHP extension, which then can be browsed to in order to execute arbitrary code on the server, resulting in a full compromise of the server. This could potentially be performed unwittingly by a user. This issue has been patched in version 4.5.4.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yeswiki/yeswikiPackagist | < 4.5.4 | 4.5.4 |
Affected products
1Patches
18fe5275a78dcfix(templates): css preset should end with .css extension
1 file changed · +4 −0
tools/templates/controllers/ApiController.php+4 −0 modified@@ -27,6 +27,10 @@ public function deleteCustomCSSPreset($presetFilename) */ public function addCustomCSSPreset($presetFilename) { + $fileParts = pathinfo($presetFilename); + if (strtolower($fileParts['extension']) !== 'css') { + return new ApiResponse(['code' => 400, 'message' => 'Wrong filename extension, should be .css'], 400); + } $result = $this->getService(ThemeManager::class)->addCustomCSSPreset($presetFilename, $_POST); $code = ($result['status']) ? 200 // 'OK'
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-88xg-v53p-fpvfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-46347ghsaADVISORY
- github.com/YesWiki/yeswiki/commit/8fe5275a78dc7e0f9c242baa3cbac6b5ac1cc066ghsax_refsource_MISCWEB
- github.com/YesWiki/yeswiki/security/advisories/GHSA-88xg-v53p-fpvfghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.