Unauthorized Backup Command Execution in YesWiki PHP System
CVE-2025-46348

9.8CRITICAL

Key Information:

Vendor: Yeswiki
Status: Yeswiki
Vendor: CVE Published:; 29 April 2025

What is CVE-2025-46348?

YesWiki, a PHP-based wiki system, presents a serious vulnerability prior to version 4.5.4, where an unauthorized request can trigger the site's backup process without any form of authentication. This flaw allows malicious users to generate and download backups with predictable filenames, potentially leading to unauthorized access to sensitive site information and the possibility of overwhelming the file system through excessive backup requests. This vulnerability has been addressed in the latest version, enhancing the system's security against such unauthorized access.

Affected Version(s)

yeswiki < 4.5.4

References

https://github.com/YesWiki/yeswiki/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/YesWiki/yeswiki/commit/0d4efc880a72759...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 29, 2025
Vulnerability Reserved
Apr 22, 2025

Yeswiki

What is CVE-2025-46348?

Affected Version(s)

References

CVSS V3.1

Timeline