CVE-2025-46347 is a vulnerability identified in YesWiki, a PHP-based wiki system, affecting all versions prior to 4.5.4. The core issue stems from improper encoding or escaping of output (CWE-116), which allows an attacker to perform an arbitrary file write on the server. Specifically, this vulnerability enables an attacker to write files with a .php extension to the server's filesystem. Once such a file is written, it can be accessed and executed via a web browser, leading to remote code execution (RCE). This RCE can result in a full compromise of the affected server, allowing the attacker to execute arbitrary commands, potentially escalate privileges, access sensitive data, or pivot within the network. Notably, exploitation does not require authentication but does require some user interaction, which could be unwitting, such as visiting a crafted URL or triggering a vulnerable function. The vulnerability has been patched in YesWiki version 4.5.4. The CVSS 4.0 score is 5.8 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, but requiring user interaction and with high scope impact. There are no known exploits in the wild as of the publication date, but the potential for severe impact exists due to the nature of arbitrary file write and code execution on web-facing servers.

For European organizations using YesWiki versions prior to 4.5.4, this vulnerability poses a significant risk. Since YesWiki is often used for collaborative documentation and knowledge management, a successful exploit could lead to unauthorized access to internal documentation, intellectual property, and potentially sensitive operational information. The ability to execute arbitrary code on the server could allow attackers to establish persistent backdoors, move laterally within the network, or disrupt services by modifying or deleting critical files. This could impact confidentiality, integrity, and availability of organizational data and services. Given that exploitation requires no authentication, any public-facing YesWiki instance is at risk, especially if users can be tricked into interacting with malicious content. The medium CVSS score reflects the need for user interaction, but the high scope means the compromise could extend beyond the application itself. Organizations in sectors with strict data protection regulations (e.g., GDPR) could face compliance and reputational damage if breaches occur. Additionally, the lack of known exploits in the wild does not preclude future targeted attacks, especially as threat actors often weaponize such vulnerabilities once publicly disclosed.

1. Immediate upgrade of all YesWiki installations to version 4.5.4 or later to apply the official patch addressing this vulnerability. 2. If immediate patching is not feasible, implement web application firewall (WAF) rules to detect and block attempts to upload or write files with .php extensions or suspicious payloads targeting YesWiki endpoints. 3. Restrict file write permissions on the server to the minimum necessary, ensuring that the web server user cannot write executable files outside designated safe directories. 4. Monitor web server logs and application logs for unusual file creation activities or access patterns indicative of exploitation attempts. 5. Educate users about the risk of interacting with untrusted links or content within the wiki environment to reduce the likelihood of unwitting exploitation. 6. Conduct regular security audits and vulnerability scans focusing on web applications, especially those exposed to the internet. 7. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect anomalous behaviors related to file uploads and code execution. 8. Consider isolating YesWiki instances in segmented network zones to limit lateral movement in case of compromise.