CVE-2025-46347 Overview
CVE-2025-46347 is a Remote Code Execution (RCE) vulnerability affecting YesWiki, a wiki system written in PHP. Prior to version 4.5.4, the application is vulnerable to arbitrary file write attacks that allow an attacker to upload a file with a PHP extension. Once written to the server, the malicious PHP file can be accessed directly via a web browser, enabling arbitrary code execution and resulting in full server compromise. Notably, this attack could potentially be performed unwittingly by a user through social engineering or other means.
Critical Impact
Successful exploitation enables full server compromise through arbitrary code execution, allowing attackers to take complete control of the affected YesWiki installation and underlying server infrastructure.
Affected Products
- YesWiki versions prior to 4.5.4
- All YesWiki installations using the vulnerable CSS preset upload functionality
- Self-hosted YesWiki deployments without proper file extension validation
Discovery Timeline
- 2025-04-29 - CVE-2025-46347 published to NVD
- 2025-05-09 - Last updated in NVD database
Technical Details for CVE-2025-46347
Vulnerability Analysis
The vulnerability exists in the CSS preset upload functionality within YesWiki's template management system. The addCustomCSSPreset function in tools/templates/controllers/ApiController.php failed to properly validate file extensions before writing user-supplied content to disk. This improper encoding or escaping of output (CWE-116) allows attackers to bypass intended file type restrictions and upload malicious PHP files disguised as CSS presets.
When a user or attacker supplies a filename with a .php extension instead of the expected .css extension, the application accepts and writes the file to the server's filesystem. The attacker can then navigate to the uploaded PHP file via a direct URL request, causing the web server to execute the malicious code with the same privileges as the web application.
Root Cause
The root cause is improper output encoding and missing file extension validation (CWE-116) in the CSS preset upload functionality. The application trusted user-supplied filenames without verifying that the file extension matched the expected .css format, enabling arbitrary file type uploads to the web-accessible directory structure.
Attack Vector
The attack is network-based and requires user interaction. An attacker can craft a malicious request to the CSS preset upload endpoint with a PHP filename and malicious PHP code in the POST body. This could be delivered through:
- Direct exploitation by an authenticated attacker with access to the theme management functionality
- Social engineering attacks tricking legitimate users into performing the malicious upload
- Cross-Site Request Forgery (CSRF) attacks if additional CSRF protections are absent
The following patch demonstrates the security fix implemented in version 4.5.4:
*/
public function addCustomCSSPreset($presetFilename)
{
+ $fileParts = pathinfo($presetFilename);
+ if (strtolower($fileParts['extension']) !== 'css') {
+ return new ApiResponse(['code' => 400, 'message' => 'Wrong filename extension, should be .css'], 400);
+ }
$result = $this->getService(ThemeManager::class)->addCustomCSSPreset($presetFilename, $_POST);
$code = ($result['status'])
? 200 // 'OK'
Source: GitHub Commit Update
The patch adds validation using pathinfo() to extract the file extension and explicitly checks that it equals css (case-insensitive). If the extension does not match, the function returns a 400 Bad Request response, preventing the arbitrary file write.
Detection Methods for CVE-2025-46347
Indicators of Compromise
- Unexpected PHP files appearing in YesWiki's CSS preset or theme directories
- Web server access logs showing requests to unusual PHP files within theme-related paths
- POST requests to the CSS preset API endpoint containing non-CSS file extensions (e.g., .php, .phtml, .phar)
- Newly created files with PHP extensions in directories typically reserved for CSS assets
Detection Strategies
- Monitor file creation events in YesWiki's theme and template directories for files with executable extensions
- Implement web application firewall (WAF) rules to detect and block requests attempting to upload files with PHP-related extensions to CSS preset endpoints
- Review web server logs for POST requests to /api/ endpoints containing suspicious filename parameters
- Utilize file integrity monitoring (FIM) to alert on unauthorized file modifications in web-accessible directories
Monitoring Recommendations
- Enable detailed logging for all file write operations within the YesWiki application
- Configure real-time alerts for any PHP file creation in non-standard locations
- Implement security information and event management (SIEM) rules to correlate upload attempts with subsequent file access patterns
- Regularly audit theme and CSS preset directories for unauthorized files
How to Mitigate CVE-2025-46347
Immediate Actions Required
- Upgrade YesWiki to version 4.5.4 or later immediately
- Review existing CSS preset directories for any suspicious PHP files and remove unauthorized uploads
- Audit web server access logs for evidence of exploitation attempts
- Consider temporarily disabling the CSS preset upload functionality until patching is complete
Patch Information
The vulnerability has been patched in YesWiki version 4.5.4. The fix adds explicit file extension validation to the addCustomCSSPreset function, ensuring only files with .css extensions can be uploaded through this endpoint. The security patch is available via the GitHub Commit. Additional details can be found in the GitHub Security Advisory GHSA-88xg-v53p-fpvf.
Workarounds
- Restrict access to the CSS preset upload functionality to trusted administrators only
- Implement web server-level restrictions to prevent PHP execution in theme/CSS directories using .htaccess or equivalent configuration
- Deploy a web application firewall (WAF) rule to block requests containing PHP extensions in CSS preset upload requests
- Consider disabling the custom CSS preset feature entirely if not required for operations
# Apache .htaccess example to prevent PHP execution in CSS directories
# Place this in the YesWiki themes/CSS preset directory
<FilesMatch "\.ph(p[3-7]?|tml|ar)$">
Require all denied
</FilesMatch>
# Alternative: Disable PHP engine entirely for the directory
php_flag engine off
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
