CVE-2025-51958
📋 TL;DR
CVE-2025-51958 is a critical remote code execution vulnerability in the aelsantex runcommand plugin for DokuWiki. Unauthenticated attackers can execute arbitrary system commands on affected servers via a specific PHP file. All DokuWiki installations using the vulnerable runcommand plugin are affected.
💻 Affected Systems
- DokuWiki with aelsantex runcommand plugin
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands with web server privileges, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Attackers gain shell access to the web server, allowing them to read sensitive files, modify content, or pivot to other systems on the network.
If Mitigated
With proper network segmentation and least privilege, impact is limited to the web server's capabilities and isolated network segment.
🎯 Exploit Status
The vulnerability requires no authentication and has a simple exploitation path via HTTP request to the vulnerable PHP file.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None available
Vendor Advisory: https://www.dokuwiki.org/plugin:runcommand
Restart Required: No
Instructions:
1. Remove the runcommand plugin from your DokuWiki installation. 2. Delete the lib/plugins/runcommand directory. 3. Clear DokuWiki cache if applicable.
🔧 Temporary Workarounds
Block access to vulnerable file
allUse web server configuration to block access to the vulnerable PHP file
# For Apache: add to .htaccess or virtual host config
<Files "postaction.php">
Require all denied
</Files>
# For Nginx: add to server block
location ~ /lib/plugins/runcommand/postaction\.php$ {
deny all;
return 403;
}
Disable plugin via DokuWiki
allDisable the runcommand plugin through DokuWiki's plugin manager
# Access DokuWiki admin panel > Extension Manager > Manage Plugins
# Find 'runcommand' and click 'Disable'
🧯 If You Can't Patch
- Immediately remove the runcommand plugin from all DokuWiki installations
- Implement network segmentation to isolate DokuWiki servers from critical systems
🔍 How to Verify
Check if Vulnerable:
Check if the file lib/plugins/runcommand/postaction.php exists in your DokuWiki installation directoryCheck Version:
Check the plugin.info.txt file in lib/plugins/runcommand/ for version informationVerify Fix Applied:
Verify that the lib/plugins/runcommand directory has been completely removed📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /lib/plugins/runcommand/postaction.php with command parameters
- Unusual system commands executed by the web server user
- Web server error logs showing command execution attempts
Network Indicators:
- HTTP POST requests to the vulnerable endpoint with command parameters
- Outbound connections from web server to unusual destinations
SIEM Query:
source="web_server_logs" AND (uri="/lib/plugins/runcommand/postaction.php" OR uri CONTAINS "postaction.php")