CVE-2025-24019

Name of the Vulnerable Software and Affected Versions YesWiki versions up to and including 4.4.5

Description The issue allows any authenticated user to arbitrarily remove content from the Wiki, resulting in partial loss of data and defacement/deterioration of the website. This is possible through the use of the file manager, which does not properly sanitize or verify the path provided by the user, allowing a malicious user to specify any arbitrary file on the filesystem for deletion. The vulnerability can be exploited by accessing the filemanager and using the fmErase() function, which does not restrict the deletion to specific directories or files. In a standard installation, this could allow a malicious user to delete important PHP files, such as index.php or core files of YesWiki, thereby completely cutting off access to the wiki.

Recommendations For YesWiki versions up to and including 4.4.5, consider updating to version 4.5.0, which contains a patch for this issue. As a temporary workaround, restrict the possible paths of fmErase() to the upload path directory and limit its use to trashed files only. Additionally, ensure that any request to fmErase() or fmDelete() originates from the owner of the resource to which the attachment is linked.