CVE-2025-11138
Published: 29 September 2025
Summary
CVE-2025-11138 is a low-severity Command Injection (CWE-77) vulnerability in Wenkucms Project Wenkucms. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 27.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-11138 is an OS command injection vulnerability (CWE-77, CWE-78) in mirweiye wenkucms versions up to 3.4. The flaw affects the createPathOne function in the file app/common/common.php, where manipulation enables command injection. Published on 2025-09-29, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
An attacker with low privileges, such as an authenticated user, can exploit this remotely with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability via OS command execution.
Advisories referenced in VulDB entries (ctiid.326215, id.326215, submit.657055) and a GitHub issue (electroN1chahaha/wenkucms-RCE/issues/1) confirm the remote attack vector. The exploit has been made public and could be used. No specific patch or mitigation details are detailed in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-31491
Vulnerability details
A vulnerability was found in mirweiye wenkucms up to 3.4. This impacts the function createPathOne of the file app/common/common.php. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been made public and could…
more
be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing web app (wenkucms) allows remote authenticated RCE via Unix shell (bash reverse shell PoC), mapping to Unix Shell execution, exploitation of public-facing application, and indirect command execution as noted in advisory.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted input to the createPathOne function, blocking the OS command injection vector described in the CVE.
Enforces least privilege on the web application process and authenticated users, limiting the scope of commands that can be executed even if injection succeeds.
Enables monitoring of system calls and command execution patterns that would reveal the remote command injection attempts against common.php.