CVE-2025-46347
Published: 29 April 2025
Summary
CVE-2025-46347 is a medium-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Yeswiki Yeswiki. Its CVSS base score is 5.8 (Medium).
Operationally, ranked in the top 14.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
YesWiki, a PHP-based wiki system, is affected by a remote code execution vulnerability in versions prior to 4.5.4. The flaw stems from an arbitrary file write primitive that permits an attacker to create a file with a .php extension; once written, the file can be accessed via the web server to execute arbitrary code, resulting in full server compromise. The issue is tracked under CWE-116 and carries a CVSS 4.0 score of 5.8.
An attacker can exploit the weakness by supplying crafted input that triggers the file-write operation, after which browsing to the newly created PHP file achieves code execution. The description notes that this sequence could occur unwittingly through actions taken by a legitimate user, and the attack requires no special privileges beyond the ability to reach the vulnerable write functionality.
The project has released version 4.5.4 to address the issue, with the fix documented in commit 8fe5275a78dc7e0f9c242baa3cbac6b5ac1cc066 and detailed in GitHub Security Advisories GHSA-88xg-v53p-fpvf.
EPSS for the CVE rose from lower values to a peak of 0.0539 on 2026-06-08 before receding to the current 0.0240, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-12614
Vulnerability details
YesWiki is a wiki system written in PHP. Prior to version 4.5.4, YesWiki vulnerable to remote code execution. An arbitrary file write can be used to write a file with a PHP extension, which then can be browsed to in…
more
order to execute arbitrary code on the server, resulting in a full compromise of the server. This could potentially be performed unwittingly by a user. This issue has been patched in version 4.5.4.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validating that output matches expected content directly mitigates failures to properly encode or escape data for its destination context.