CVE-2025-46346

Name of the Vulnerable Software and Affected Versions YesWiki versions prior to 4.5.4

Description A stored cross-site scripting (XSS) issue was found in the comments feature of YesWiki, a wiki system written in PHP. This issue allows a malicious actor to inject JavaScript payloads that are stored and later executed in the browser of any user viewing the affected comment. The XSS occurs because the application fails to properly sanitize or encode user input submitted to the comments. Notably, the application sanitizes or does not allow execution of <script> tags, but does not account for payloads obfuscated using JavaScript block comments like /* JavaScriptPayload */.

Recommendations For versions prior to 4.5.4, update to version 4.5.4 to resolve the issue. As a temporary workaround, consider disabling the comments feature until a patch is available. Restrict access to the comments module to minimize the risk of exploitation. Avoid using the comments feature in the affected API endpoints until the issue is resolved.