CVE-2025-32461
📋 TL;DR
CVE-2025-32461 is a critical remote code execution vulnerability in Tiki Wiki CMS where the wikiplugin_includetpl plugin improperly handles input passed to an eval() function. This allows authenticated users with edit permissions to execute arbitrary PHP code on the server. All Tiki installations before versions 21.12, 24.8, 27.2, and 28.3 are affected.
💻 Affected Systems
- Tiki Wiki CMS Groupware
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise leading to data theft, malware deployment, lateral movement, and complete system takeover.
Likely Case
Authenticated attackers with edit permissions execute arbitrary code to steal sensitive data, deface websites, or install backdoors.
If Mitigated
With proper input validation and least privilege, impact is limited to the web application context, but still significant.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated due to direct eval() misuse.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.12, 24.8, 27.2, or 28.3
Vendor Advisory: https://gitlab.com/tikiwiki/tiki/-/commit/406bea4f6c379a23903ecfd55e538d90fd669ab0
Restart Required: No
Instructions:
1. Backup your Tiki installation and database. 2. Update to the appropriate fixed version: 21.12 for LTS 21.x, 24.8 for LTS 24.x, 27.2 for LTS 27.x, or 28.3 for main branch. 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable wikiplugin_includetpl
allTemporarily disable the vulnerable plugin to prevent exploitation.
Edit Tiki configuration to remove or disable wikiplugin_includetpl functionality
Restrict edit permissions
allLimit wiki edit permissions to only trusted administrators.
Review and tighten Tiki permission settings for wiki editing
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit access to Tiki instances.
- Deploy web application firewall (WAF) rules to block eval() injection patterns and monitor for exploitation attempts.
🔍 How to Verify
Check if Vulnerable:
Check Tiki version in admin panel or via tiki-version.php. If version is below 21.12, 24.8, 27.2, or 28.3, system is vulnerable.Check Version:
Check Tiki admin panel or view source of tiki-version.phpVerify Fix Applied:
Confirm version is updated to 21.12, 24.8, 27.2, or 28.3 in admin panel and test wikiplugin_includetpl functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual eval() calls in PHP logs
- Suspicious wikiplugin_includetpl usage patterns
- Unexpected file writes or system commands
Network Indicators:
- HTTP POST requests to wikiplugin_includetpl with unusual parameters
- Outbound connections from web server to unexpected destinations
SIEM Query:
Search web server logs for 'wikiplugin_includetpl' with suspicious parameter values or eval patterns🔗 References
- https://gitlab.com/tikiwiki/tiki/-/commit/406bea4f6c379a23903ecfd55e538d90fd669ab0
- https://gitlab.com/tikiwiki/tiki/-/commit/801ed912390c2aa6caf12b7b953e200f5d4bc0b1
- https://gitlab.com/tikiwiki/tiki/-/commit/9ffb4ab21bd86837370666ecd6afd868f3d7877a
- https://gitlab.com/tikiwiki/tiki/-/commit/be8dc1aa220fbceb07a7a5dc36416243afccd358
- https://gitlab.com/tikiwiki/tiki/-/commit/f3f36c1ac702479209acfcaec5789d2fd1f996bc
- https://tiki.org/article517
- https://tiki.org/article518
- http://seclists.org/fulldisclosure/2025/Jul/11
