Platform
php
Component
yeswiki/yeswiki
Fixed in
4.5.5
4.5.4
CVE-2025-46348 is a critical vulnerability affecting YesWiki versions up to 4.5.3. It allows unauthenticated attackers to initiate and download site backups, leading to potential data exposure. This vulnerability arises from insufficient authentication checks during the backup creation and retrieval processes. A fix is available in version 4.5.4.
The primary impact of CVE-2025-46348 is the unauthorized exposure of sensitive data stored within YesWiki backups. Attackers can leverage this vulnerability to download complete site archives without authentication. These archives may contain user credentials, configuration files, database dumps, and other confidential information. The predictable naming convention of the backup files further simplifies exploitation, allowing attackers to target specific backups. This could lead to data breaches, identity theft, and compromise of the entire YesWiki instance.
This vulnerability was publicly disclosed on 2025-04-29. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and the potential for significant data exposure make it a high-priority vulnerability. The lack of authentication required for backup operations significantly lowers the barrier to entry for attackers. No KEV listing is currently available.
Exploit Status
EPSS
0.44% (63% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-46348 is to immediately upgrade YesWiki to version 4.5.4 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting network access to the backup directory or modifying the YesWiki configuration to disable the backup feature entirely. Monitor YesWiki logs for suspicious activity, particularly requests related to archive creation and download. After upgrading, confirm the fix by attempting to create and download a backup without authentication; the request should be denied.
Update YesWiki to version 4.5.4 or higher. This version fixes the vulnerability that allows unauthenticated site backups to be created and downloaded. The update will prevent unauthenticated attackers from accessing sensitive site information or filling the file system with backup requests.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-46348 is a critical vulnerability in YesWiki versions up to 4.5.3 that allows unauthenticated users to create and download site backups, potentially exposing sensitive data.
Yes, you are affected if you are using YesWiki version 4.5.3 or earlier. Immediately check your version and upgrade if necessary.
Upgrade YesWiki to version 4.5.4 or later to resolve this vulnerability. If immediate upgrade is not possible, consider temporary workarounds like restricting access to the backup directory.
While no active exploitation campaigns have been publicly confirmed, the ease of exploitation makes it a high-priority vulnerability.
Refer to the YesWiki project's official website and security advisories for the latest information and updates regarding CVE-2025-46348.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.