CVE-2025-24019: 
PHP vulnerability analysis and mitigation

YesWiki, a PHP-based wiki system, contains a vulnerability (CVE-2025-24019) in versions up to and including 4.4.5. The vulnerability allows any authenticated user to delete arbitrary files owned by the FastCGI Process Manager (FPM) user on the host system through the filemanager functionality, without any limitation on the filesystem's scope (GitHub Advisory).

The vulnerability exists in the filemanager functionality, specifically in the fmErase() function within tools/attach/libs/attach.lib.php. The function fails to properly sanitize or verify the file path provided by users, allowing deletion of files through the unlink() function. Additionally, the fmDelete() function is also affected, enabling users to delete files attached to any existing wiki page, regardless of ownership (GitHub Advisory). The vulnerability has been assigned a CVSS score of 7.1, indicating high severity.

This vulnerability allows authenticated users to arbitrarily remove content from the Wiki, resulting in partial loss of data and website defacement. In standard installations where the www-data user owns the PHP files, attackers could potentially delete critical system files like index.php or core YesWiki files, completely disrupting access to the wiki. While container installations typically have different user ownership (root vs. www-data), the risk remains significant for standard deployments (GitHub Advisory).

Version 4.5.0 contains a patch for this issue. The fix includes restricting the possible paths of fmErase() to the upload_path directory and ensuring that the filename ends with a trash date pattern before deletion. For systems that cannot immediately update, it is recommended to ensure proper file ownership and permissions are set to limit the scope of potential damage (GitHub Advisory).