CVE-2025-46346 is a stored cross-site scripting (XSS) vulnerability affecting versions of YesWiki prior to 4.5.4. YesWiki is a PHP-based wiki system that allows collaborative content creation and editing. The vulnerability resides in the comments feature, where user input is not properly sanitized or encoded before being rendered on web pages. Although the application blocks direct <script> tags, it fails to neutralize JavaScript payloads obfuscated using block comments (e.g., /* JavaScriptPayload */). This flaw enables an attacker to inject malicious JavaScript code into comments, which is then stored on the server and executed in the browsers of any users who view the affected comments. The vulnerability does not require authentication and can be exploited remotely with low complexity, as no special privileges or user interaction beyond viewing the comment are needed. The CVSS 4.0 score is 6.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, but requiring user interaction (viewing the comment). The impact is primarily on confidentiality and integrity, as the attacker can execute arbitrary scripts in the context of the victim’s browser, potentially stealing session cookies, performing actions on behalf of the user, or redirecting to malicious sites. Availability impact is minimal. The issue has been patched in YesWiki version 4.5.4, which properly sanitizes and encodes user input to prevent execution of obfuscated JavaScript payloads. No known exploits are reported in the wild as of the publication date.

For European organizations using YesWiki versions prior to 4.5.4, this vulnerability poses a significant risk to user data confidentiality and integrity. Attackers could leverage the stored XSS to hijack user sessions, steal sensitive information, or perform unauthorized actions within the wiki environment. This is particularly concerning for organizations relying on YesWiki for internal documentation, knowledge sharing, or collaborative projects, where sensitive or proprietary information may be exposed. Additionally, the vulnerability could be used as a foothold for further attacks, such as phishing or malware distribution, by injecting malicious scripts that redirect users or load external payloads. The lack of authentication requirements and the ability to exploit remotely increase the threat surface. However, the impact on system availability is limited. Organizations with public-facing YesWiki instances are at higher risk, as any visitor could trigger the malicious payload. Internal deployments with restricted access reduce exposure but do not eliminate risk if internal users can be targeted. Overall, the vulnerability could undermine trust in the wiki platform and lead to data breaches or operational disruptions if exploited.

1. Immediate upgrade to YesWiki version 4.5.4 or later, where the vulnerability is patched. 2. If upgrading is not immediately possible, implement web application firewall (WAF) rules to detect and block suspicious comment inputs containing JavaScript block comment patterns or other obfuscated script payloads. 3. Conduct a thorough audit of existing comments to identify and remove potentially malicious scripts, especially those using obfuscated JavaScript techniques. 4. Enforce strict Content Security Policy (CSP) headers to restrict the execution of inline scripts and loading of external scripts, mitigating the impact of any injected payloads. 5. Educate users and administrators about the risks of XSS and encourage cautious behavior when interacting with user-generated content. 6. Monitor logs and user reports for signs of exploitation attempts or unusual behavior related to the wiki platform. 7. Review and enhance input validation and output encoding practices beyond the vendor patch, ensuring all user inputs are sanitized according to OWASP guidelines. 8. Consider isolating the wiki environment or limiting access to trusted users to reduce exposure.