CVE-2025-52277

Vulnerability

Overview

CVE-2025-52277 is a stored Cross-Site Scripting (XSS) vulnerability in YesWiki version 4.54. The root cause lies in the meta configuration panel, specifically the input field for setting the meta robots tag. This field does not properly sanitize user input, allowing an attacker to inject arbitrary JavaScript code [1][3].

Exploitation

An attacker with lower-privilege administrator access can exploit this vulnerability by navigating to the site configuration panel (Gestion de site -> Fichier de conf -> Tags meta for web indexing) and inserting a crafted payload into the meta[robots] field. For example, the payload "> will be stored and executed on every page of the wiki that any user visits [3]. No additional authentication or network position is required beyond the initial administrator session.

Impact

Successful exploitation allows the attacker to execute malicious scripts in the context of any user's browser session, including higher-privilege administrators and regular visitors. This can lead to session hijacking, credential theft, privilege escalation, and unauthorized actions performed on behalf of other users. The stored XSS of this nature affects all users because the injected script loads on every page via the meta tag [3].

Mitigation

As of the publication date (2025-09-09), no official patch has been confirmed in the YesWiki repository [2]. Administrators should restrict access to the meta robots field input carefully and consider applying input sanitization or upgrading once a fix is released. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEVulnerabilities (KEV) catalog.