CVE-2025-46347
📋 TL;DR
YesWiki versions before 4.5.4 contain a remote code execution vulnerability that allows attackers to write arbitrary PHP files to the server. When exploited, this gives attackers full control over the affected server. All YesWiki installations running vulnerable versions are affected.
💻 Affected Systems
- YesWiki
📦 What is this software?
Yeswiki by Yeswiki
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, ransomware deployment, lateral movement, and persistent backdoor installation.
Likely Case
Attacker gains shell access, installs web shells, steals sensitive data, and uses server for further attacks.
If Mitigated
Limited impact if proper network segmentation, WAF rules, and file integrity monitoring are in place.
🎯 Exploit Status
The vulnerability is straightforward to exploit with publicly available details. Attackers can write PHP files and execute them remotely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.5.4
Vendor Advisory: https://github.com/YesWiki/yeswiki/security/advisories/GHSA-88xg-v53p-fpvf
Restart Required: No
Instructions:
1. Backup your YesWiki installation and database. 2. Download YesWiki version 4.5.4 from the official repository. 3. Replace all files with the patched version. 4. Verify the installation works correctly.
🔧 Temporary Workarounds
Restrict PHP File Uploads
allConfigure web server to block execution of uploaded PHP files in upload directories
# For Apache: Add to .htaccess in upload directories
<Files *.php>
Order Deny,Allow
Deny from all
</Files>
# For Nginx: Add to server block
location ~* \.php$ {
deny all;
return 403;
}
🧯 If You Can't Patch
- Implement strict WAF rules to block file upload attempts with PHP extensions
- Disable file upload functionality entirely in YesWiki configuration
🔍 How to Verify
Check if Vulnerable:
Check YesWiki version in admin panel or examine the core files for version informationCheck Version:
Check the version in the YesWiki admin interface or examine the file 'includes/YesWiki.php' for version informationVerify Fix Applied:
Verify version is 4.5.4 or later and test that arbitrary PHP file uploads are blocked📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads with PHP extensions
- Multiple failed upload attempts
- Requests to unusual PHP files in upload directories
Network Indicators:
- HTTP POST requests with file uploads to YesWiki endpoints
- Traffic patterns showing file upload followed by execution
SIEM Query:
source="web_server" AND (uri="*upload*" OR uri="*.php") AND method="POST" AND status="200"