[CVE-2025-32461] Tiki Wiki CMS Groupware <= 28.3 Two SSTI Vulnerabilities

Source: https://karmainsecurity.com/KIS-2025-03

CVE-2025-32461 identifies two Server-Side Template Injection (SSTI) vulnerabilities in Tiki Wiki CMS Groupware versions up to and including 28.3. SSTI vulnerabilities occur when user input is improperly sanitized and subsequently evaluated or rendered by a server-side template engine. This can allow an attacker to inject malicious template code, which the server executes, potentially leading to remote code execution (RCE), data leakage, or unauthorized system access. Tiki Wiki CMS Groupware is an open-source content management and collaboration platform widely used for creating wikis, intranets, and groupware solutions. The presence of two distinct SSTI vulnerabilities suggests multiple template rendering components or endpoints are affected. Although no CVSS score or detailed technical exploit information is provided, the medium severity rating implies that exploitation may require some conditions such as specific user input vectors or partial authentication, but still poses a significant risk. No known exploits are currently reported in the wild, and patch information is not yet available, indicating that this is a recently disclosed vulnerability. The source of information is a Reddit NetSec post linking to karmainsecurity.com, a recognized security research outlet, lending credibility to the report. Given the nature of SSTI vulnerabilities, successful exploitation could allow attackers to execute arbitrary code on the server hosting the Tiki Wiki CMS, leading to full system compromise, data theft, or service disruption.

Reddit NetSec

Detailed information about [CVE-2025-32461] Tiki Wiki CMS Groupware <= 28.3 Two SSTI Vulnerabilities. Get real-time updates, technical details, and mitigation s

[CVE-2025-32461] Tiki Wiki CMS Groupware <= 28.3 Two SSTI Vulnerabilities - Live Threat Intelligence - Threat Radar | OffSeq.com

[CVE-2025-32461] Tiki Wiki CMS Groupware <= 28.3 Two SSTI Vulnerabilities

Reddit Discussion: [CVE-2025-32461] Tiki Wiki CMS Groupware <= 28.3 Two SSTI Vulnerabilities

A vulnerability, which was classified as critical, was found in code-projects Crime Reporting System 1.0. This affects an unknown part of the file /headlogin.php. The manipulation of the argument email leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-7172 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Crime Reporting System, specifically within the /headlogin.php file. The vulnerability arises from improper sanitization or validation of the 'email' parameter, which allows an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. Exploiting this flaw, an attacker can manipulate backend SQL queries, potentially leading to unauthorized data access, data modification, or even complete compromise of the underlying database. The CVSS 4.0 base score is 6.9, indicating a medium severity level, with the vector highlighting network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The vulnerability impacts confidentiality, integrity, and availability to a limited extent (VC:L, VI:L, VA:L). Although no public exploits are currently known in the wild, the vulnerability has been publicly disclosed, increasing the risk of exploitation by threat actors. The absence of patches or mitigations from the vendor at this time further elevates the risk for users of this system. Given that the Crime Reporting System is likely used by law enforcement or related agencies to manage sensitive crime data, the exploitation of this vulnerability could lead to exposure of confidential information, manipulation of crime reports, or disruption of critical public safety operations.

CVE Database V5

Detailed information about CVE-2025-7172: SQL Injection in code-projects Crime Reporting System affecting code-projects Crime Reporting System. Get real-time up

CVE-2025-7172: SQL Injection in code-projects Crime Reporting System - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7172: SQL Injection in code-projects Crime Reporting System

The The Woodmart theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode through the woodmart_get_products_shortcode() function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

CVE-2025-6744 is a high-severity vulnerability affecting the Woodmart WordPress theme developed by xTemos, specifically impacting all versions up to and including 8.2.3. The vulnerability is classified under CWE-94, which pertains to improper control of code generation, commonly known as code injection. The root cause lies in the woodmart_get_products_shortcode() function, which improperly validates user-supplied input before passing it to the WordPress do_shortcode function. This flaw allows unauthenticated attackers to execute arbitrary shortcodes on the affected WordPress sites. Since shortcodes in WordPress can execute PHP code or trigger various plugin/theme functionalities, this vulnerability can lead to unauthorized code execution, potentially compromising the confidentiality, integrity, and availability of the affected systems. The CVSS 3.1 base score is 7.3, indicating a high severity, with an attack vector of network (AV:N), no privileges required (PR:N), no user interaction needed (UI:N), and an impact on confidentiality, integrity, and availability (C:L/I:L/A:L). Although no known exploits are currently reported in the wild, the ease of exploitation due to lack of authentication and user interaction requirements makes this vulnerability a significant risk for WordPress sites using the Woodmart theme. The absence of official patches at the time of reporting further elevates the urgency for mitigation.

Detailed information about CVE-2025-6744: CWE-94 Improper Control of Generation of Code ('Code Injection') in xTemos Woodmart affecting xTemos Woodmart. Get rea

CVE-2025-6744: CWE-94 Improper Control of Generation of Code ('Code Injection') in xTemos Woodmart - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-6744: CWE-94 Improper Control of Generation of Code ('Code Injection') in xTemos Woodmart

TAG-140 Targets Indian Government Via 'ClickFix-Style' Lure

Source: https://www.darkreading.com/threat-intelligence/tag-140-indian-government-clickfix-lure

The threat identified as TAG-140 is a targeted cyber espionage campaign focusing on the Indian government, utilizing a 'ClickFix-Style' lure to compromise victims. The lure likely mimics or leverages a known vulnerability or social engineering tactic associated with the ClickFix platform or a similarly named service, aiming to deceive government employees into interacting with malicious content. Although specific technical details are sparse, the campaign appears to employ spear-phishing or watering-hole techniques to deliver malware or exploit vulnerabilities, enabling unauthorized access or data exfiltration. The absence of known exploits in the wild suggests this is an emerging threat, possibly in reconnaissance or early deployment stages. The campaign's targeting of government entities indicates a high level of sophistication and intent to gather sensitive information or disrupt governmental operations. The use of a lure resembling a legitimate service increases the likelihood of successful compromise by exploiting user trust and familiarity. Given the high severity rating and the focus on government targets, this threat represents a significant risk to national security and critical infrastructure within the affected region.

Reddit InfoSec News

Detailed information about TAG-140 Targets Indian Government Via 'ClickFix-Style' Lure. Get real-time updates, technical details, and mitigation strategies.

TAG-140 Targets Indian Government Via 'ClickFix-Style' Lure - Live Threat Intelligence - Threat Radar | OffSeq.com

TAG-140 Targets Indian Government Via 'ClickFix-Style' Lure

Reddit Discussion: TAG-140 Targets Indian Government Via 'ClickFix-Style' Lure

A vulnerability has been found in code-projects Library System 1.0 and classified as critical. This vulnerability affects unknown code of the file /add-student.php. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Detailed information about CVE-2025-7173: SQL Injection in code-projects Library System affecting code-projects Library System. Get real-time updates, technical

CVE-2025-7173: SQL Injection in code-projects Library System

CVE-2025-7173: SQL Injection in code-projects Library System

Description

Technical Details

Related Threats

[CVE-2025-32461] Tiki Wiki CMS Groupware <= 28.3 Two SSTI Vulnerabilities

CVE-2025-7172: SQL Injection in code-projects Crime Reporting System

CVE-2025-6744: CWE-94 Improper Control of Generation of Code ('Code Injection') in xTemos Woodmart

CVE-2025-7171: SQL Injection in code-projects Crime Reporting System

CVE-2025-7170: SQL Injection in code-projects Crime Reporting System

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility