CVE-2025-7575

Vulnerability

Analysis

A path traversal vulnerability has been identified in the Zavy86 WikiDocs application, affecting versions up to and including 1.0.77. The flaw resides in the image_drop_upload_ajax and image_delete_ajax functions within the submit.php file. The root cause is the insecure handling of user-supplied filename parameters (image_name and document), which are used directly in file operations without proper sanitization, allowing directory traversal sequences like ../ to access files outside the intended image directory [1][3].

Attack

Surface and Exploitation The vulnerability can be exploited remotely without requiring authentication, as the vulnerable AJAX endpoints are accessible to unauthenticated users. An attacker can send a crafted HTTP POST request to submit.php with a manipulated image_name parameter containing path traversal patterns (e.g., ../../../etc/passwd). The document parameter also lacked validation against directory traversal characters in versions prior to the patch [3]. No special privileges or network position are required beyond the ability to reach the web application.

Impact

Successful exploitation allows an unauthenticated attacker to delete arbitrary files on the server file system, potentially leading to denial of service, removal of configuration files, or disruption of application functionality. The path traversal is limited to deletion operations, not arbitrary read or write, but the ability to remove critical files can severely impact the application's availability and integrity [1][2].

Mitigation

The vulnerability has been patched in WikiDocs version 1.0.78. The fix, implemented in commit 98ea9ee4a2052c4327f89d2f7688cc1b5749450d, adds input validation such as using basename() on image_name and rejecting document values containing .., /, or \ [3]. Users are strongly recommended to upgrade to the latest version as soon as possible [1][2]. No workarounds have been documented.