CVE-2025-46350: 
PHP vulnerability analysis and mitigation

YesWiki, a wiki system written in PHP, was found to contain a reflected cross-site scripting (XSS) vulnerability prior to version 4.5.4. The vulnerability was discovered and disclosed on April 29, 2025, affecting the system's page deletion functionality (GitHub Advisory, NVD).

The vulnerability exists in the page deletion endpoint '/?PagePrincipale%2Fdeletepage' through the 'incomingurl' parameter. The issue stems from improper validation of user input during web page generation. The vulnerability has been assigned a CVSS v3.1 base score of 3.5 (LOW) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N, indicating network attack vector, low attack complexity, high privileges required, and user interaction required (Wiz).

When exploited, this vulnerability allows attackers to execute cross-site scripting attacks against authenticated users who click on malicious links. The successful exploitation can lead to cookie theft, enabling session hijacking. Additionally, attackers may be able to deface the website or embed malicious content (GitHub Advisory).

The vulnerability has been patched in YesWiki version 4.5.4. Users are advised to upgrade to this version or later to protect against this security issue (NVD).