CVE-2025-46550: 
PHP vulnerability analysis and mitigation

YesWiki, a PHP-based wiki system, was found to contain a reflected cross-site scripting (XSS) vulnerability prior to version 4.5.4. The vulnerability was identified with CVE-2025-46550 and was disclosed on April 29, 2025. The security flaw specifically affects the /?BazaR endpoint and idformulaire parameter of the application (GitHub Advisory, NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 base score of 4.3 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N). The issue stems from improper input validation in the /?BazaR endpoint where the idformulaire parameter accepts and reflects unvalidated user input. An example of the vulnerable URL pattern is: https://yeswiki.net/?BazaR&vue=formulaire&action=confirm_delete&idformulaire=<script>alert(1)</script> (GitHub Advisory).

The vulnerability enables attackers to execute malicious JavaScript code in victims' browsers. When successfully exploited, attackers can steal authenticated users' cookies through crafted malicious links, potentially leading to session hijacking. Additionally, the vulnerability could be used to deface websites or embed malicious content (NVD).

The vulnerability has been patched in YesWiki version 4.5.4. Users are advised to upgrade to this version or later to protect against this security issue (NVD).