CVE-2025-24019
📋 TL;DR
This vulnerability in YesWiki allows any authenticated user to delete arbitrary files owned by the PHP-FPM process user, potentially leading to data loss, website defacement, or complete service disruption. It affects all YesWiki installations up to version 4.4.5 where the filemanager functionality is accessible to authenticated users.
💻 Affected Systems
- YesWiki
📦 What is this software?
Yeswiki by Yeswiki
⚠️ Risk & Real-World Impact
Worst Case
Complete destruction of the YesWiki installation by deleting critical PHP files (index.php, core files), rendering the wiki inaccessible and requiring full restoration from backups.
Likely Case
Partial data loss and website defacement through deletion of content files, images, or configuration files, disrupting normal wiki operations.
If Mitigated
Limited impact if proper file ownership separation exists (PHP files owned by root, FPM running as www-data), but still allows deletion of user-uploaded content.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward through the filemanager interface. No special tools or advanced knowledge needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.5.0
Vendor Advisory: https://github.com/YesWiki/yeswiki/security/advisories/GHSA-43c9-gw4x-pcx6
Restart Required: No
Instructions:
1. Backup your YesWiki installation and database. 2. Download YesWiki 4.5.0 from the official repository. 3. Replace all files with the patched version, preserving your custom configurations and uploaded content. 4. Verify the installation works correctly.
🔧 Temporary Workarounds
Disable filemanager for authenticated users
allRemove or restrict access to the filemanager functionality for all authenticated users
# Modify YesWiki configuration or access controls to disable filemanager
Implement strict file ownership separation
Linux/UnixEnsure PHP files are owned by root and FPM runs as a different user (www-data)
chown -R root:root /path/to/yeswiki
chmod -R 755 /path/to/yeswiki
🧯 If You Can't Patch
- Implement strict access controls to limit which users can authenticate to the wiki
- Regularly backup all YesWiki files and database to enable rapid recovery if files are deleted
🔍 How to Verify
Check if Vulnerable:
Check your YesWiki version in the administration panel or by examining the version.php file. If version is 4.4.5 or earlier, you are vulnerable.Check Version:
grep "\$wiki\->version" /path/to/yeswiki/includes/version.phpVerify Fix Applied:
After upgrading, verify the version shows 4.5.0 or later. Test that authenticated users cannot delete files outside their permitted scope through the filemanager.📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion patterns in web server logs
- Multiple DELETE requests to filemanager endpoints from single user
- Error logs showing missing PHP files
Network Indicators:
- HTTP requests to /filemanager endpoints with DELETE method
SIEM Query:
source="web_logs" AND (uri_path="/filemanager" OR uri_path="/?FileManager") AND http_method="DELETE"