Skip to main content

WikiDocs CVE-2025-7887

LOW
Cross-site Scripting (XSS) (CWE-79)
2025-07-20 cna@vuldb.com
PHP XSS Wikidocs
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:24 vuln.today

DescriptionCVE.org

A vulnerability has been found in Zavy86 WikiDocs up to 1.0.78 and classified as problematic. This vulnerability affects unknown code of the file template.inc.php. The manipulation of the argument path leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

Cross-site scripting (XSS) in WikiDocs up to version 1.0.78 allows remote attackers to inject malicious scripts via the path parameter in template.inc.php, requiring user interaction to trigger. The vulnerability has publicly available exploit code and carries a low CVSS score (2.1) due to its reliance on user interaction and limited impact scope, though the EPSS score of 0.10% suggests minimal real-world exploitation likelihood despite public disclosure.

Technical ContextAI

WikiDocs is a lightweight PHP-based wiki system. The vulnerability exists in the template.inc.php file, where user-supplied input from the path parameter is not properly sanitized before being output to the page, violating CWE-79 (Improper Neutralization of Input During Web Page Generation). The attack exploits inadequate input validation in a PHP server-side template rendering function, allowing attacker-controlled path values to be reflected in HTTP responses without HTML encoding or contextual escaping, leading to DOM-based or reflected XSS execution in user browsers.

RemediationAI

Upgrade WikiDocs to a version newer than 1.0.78 if a patched release is available. If no patch has been released, implement HTML entity encoding (using PHP functions like htmlspecialchars() or htmlentities()) on the path parameter before output in template.inc.php, specifically encoding it with the ENT_QUOTES flag and UTF-8 charset to prevent both single and double-quote escaping. Apply Content Security Policy (CSP) headers with 'script-src' restrictions to mitigate reflected XSS impact. Monitor the WikiDocs GitHub repository (https://github.com/Zavy86/WikiDocs/issues/256) for patch announcements. If patch status is unclear, restrict network access to WikiDocs instances via firewall rules or require authentication via reverse proxy to reduce exposure.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2025-7887 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy