CVE-2025-46347: 
PHP vulnerability analysis and mitigation

YesWiki, a PHP-based wiki system, was found to contain a critical remote code execution vulnerability (CVE-2025-46347) prior to version 4.5.4. The vulnerability was discovered and disclosed on April 29, 2025, affecting all versions before 4.5.4. The issue allows attackers to perform arbitrary file writes with PHP extensions, which can then be accessed to execute arbitrary code on the server (GitHub Advisory, NVD).

The vulnerability exists in the graphical configuration feature, specifically through the custom-presets API endpoint. An attacker can manipulate requests to write files with PHP extensions to the server. The vulnerability has been assigned a CVSS 4.0 score of 5.8 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P. The issue is related to improper encoding or escaping of output (CWE-116) (Wiz, NVD).

The vulnerability can lead to full compromise of the server through remote code execution. While initial file creation requires authentication, subsequent execution of the malicious file can be performed without authentication. The vulnerability could potentially be exploited unwittingly by users through XSS vulnerabilities (GitHub Advisory).

The vulnerability has been patched in YesWiki version 4.5.4. Recommended mitigations include restricting file extensions to a safelist (e.g., .css only) and disabling PHP execution in user-writable directories (GitHub Advisory).