Cyber Posture

CVE-2025-11138

MediumPublic PoC

Published: 29 September 2025

Published
29 September 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0026 49.8th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11138 is a medium-severity Command Injection (CWE-77) vulnerability in Wenkucms Project Wenkucms. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 49.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Unix Shell (T1059.004) and 2 other techniques.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-27 Platform-independent Applications
addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

SI-10 Information Input Validation
addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
attack.mitre.org →
Why these techniques?

OS command injection in public-facing web app (wenkucms) allows remote authenticated RCE via Unix shell (bash reverse shell PoC), mapping to Unix Shell execution, exploitation of public-facing application, and indirect command execution as noted in advisory.

NVD Description

A vulnerability was found in mirweiye wenkucms up to 3.4. This impacts the function createPathOne of the file app/common/common.php. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been made public and could…

more

be used.

Deeper analysisAI

CVE-2025-11138 is an OS command injection vulnerability (CWE-77, CWE-78) in mirweiye wenkucms versions up to 3.4. The flaw affects the createPathOne function in the file app/common/common.php, where manipulation enables command injection. Published on 2025-09-29, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

An attacker with low privileges, such as an authenticated user, can exploit this remotely with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability via OS command execution.

Advisories referenced in VulDB entries (ctiid.326215, id.326215, submit.657055) and a GitHub issue (electroN1chahaha/wenkucms-RCE/issues/1) confirm the remote attack vector. The exploit has been made public and could be used. No specific patch or mitigation details are detailed in the available information.

Details

CWE(s)
CWE-77CWE-78

Affected Products

wenkucms project
wenkucms
3.4

CVEs Like This One

CVE-2025-10328Shared CWE-77, CWE-78
CVE-2025-8828Shared CWE-77, CWE-78
CVE-2025-10327Shared CWE-77, CWE-78
CVE-2025-9575Shared CWE-77, CWE-78
CVE-2025-8259Shared CWE-77, CWE-78
CVE-2025-9026Shared CWE-77, CWE-78
CVE-2025-10326Shared CWE-77, CWE-78
CVE-2025-7414Shared CWE-77, CWE-78
CVE-2025-14586Shared CWE-77, CWE-78
CVE-2025-8829Shared CWE-77, CWE-78

References