Skip to main content

YesWiki CVE-2026-52777

CRITICAL
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-09 https://github.com/YesWiki/yeswiki GHSA-9369-69wj-7m2f
Share

Severity by source

vuln.today AI
8.3 HIGH

Network CSRF delivery (AV:N, PR:N) needs an authenticated admin victim to visit the page (UI:R) plus a working gadget chain (AC:H); RCE escapes the app to the host (S:C) with full C/I/A impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 21:49 vuln.today

DescriptionCVE.org

Details

Sink

tools/bazar/services/CSVManager.php line 372-399:

public function importEntry(array $importedEntries, string $formId): ?array
{
    if (!$this->importdone) {
        // ...
        foreach ($importedEntries as $entry) {
            $entry = unserialize(base64_decode($entry));   // <-- SINK
            $entry = array_map('strval', $entry);
            // ...

There is no ['allowed_classes' => false] argument; arbitrary classes are instantiated. The subsequent array_map('strval', $entry) additionally exercises __toString on each top-level array element, doubling the magic-method surface available to a gadget chain.

Source

tools/bazar/actions/BazarImportAction.php:

// formatArguments()
'mode' => (isset($_POST['submit_file']) && !empty($_FILES['fileimport']['name'])) ? 'submitfile' :
    (isset($_POST['importfiche']) ? 'importentries' : 'default'),
'importentries' => $_POST['importfiche'] ?? null,

// run()
case 'importentries':
    // ...
    $importedEntries = $this->CSVManager->importEntry($this->arguments['importentries'], $vID['id']);
    break;

$_POST['importfiche'] flows directly to the sink. The mode switches to 'importentries' whenever the request body contains the key, so an attacker need only POST importfiche[0]=<payload>.

Reachability

  1. The action is registered as bazarimport. The default BazaR page (setup/sql/default-content.sql -> BazaR page entry, ships with {{bazar showexportbuttons="1"}}) routes ?BazaR&vue=importer&id_typeannonce=<N> to BazarAction::run() -> case VOIR_IMPORTER -> callAction('bazarimport', ...) (tools/bazar/actions/BazarAction.php:257-258). So the sink is reachable on a default install with no extra page authoring.
  2. BazarImportAction::run() calls $this->checkSecuredACL() with the default $adminOnly=true. Only wiki admins (or accounts the admin has added to the bazarimport action ACL) can execute it.
  3. The importentries branch does NOT invoke CsrfTokenController::checkToken(...). Grepping tools/bazar/actions/BazarImportAction.php confirms the action class has no csrf or checkToken reference at all. This is asymmetric with sibling actions: tools/bazar/controllers/FormController.php does call checkToken('main', 'POST', 'confirmDeleteToken') for destructive operations. The import path skips the same protection.
  4. Therefore the full kill chain for a remote attacker is:

a. Identify any admin user on the target wiki. b. Deliver an HTML page (email, chat, link) that auto-POSTs importfiche[0]=<base64-encoded PHPGGC payload> to https://<wiki>/?BazaR&vue=importer&id_typeannonce=1. c. The admin's session cookie is sent automatically; the action passes checkSecuredACL; the unserialize fires.

Gadget chain availability

composer.json requires doctrine/annotations ^1.11 and doctrine/cache ^1.10. Both have published PHPGGC chains (Doctrine/RCE1, Doctrine/FW1, Doctrine/FW2, etc., from https://github.com/ambionics/phpggc). These chains terminate in either system($cmd) (RCE1) or file_put_contents($php_file, $contents) (FW1) entry-points -- both sufficient to give the attacker shell on the YesWiki host.

This advisory does not include a working PHPGGC chain end-to-end (writing a chain that survives YesWiki's exact dependency-resolved class graph is separate work). The PoC demonstrates the primitive (attacker-controlled class instantiation + magic-method execution); the chain is a downstream exercise using public tooling.

Past advisories cross-check

YesWiki's published GitHub advisories cover XSS, SQLi, arbitrary-PHP-file-write RCE, path traversal, and unauthenticated backup download. None covers an unserialize / PHP-object-injection sink, so this is a novel vulnerability class for the project.

PoC

A self-contained PoC reproducing the inner loop is available; it copies the exact two-line sink and proves that attacker-controlled __destruct runs without booting the full application.

Run:

php poc.php

Output (verbatim):

Crafted importfiche[0] payload (form-ready, urlencoded):
YToxOntpOjA7Tzo2OiJHYWRnZXQiOjE6e3M6NjoibWFya2VyIjtzOjIyOiJQV05FRC1GUk9NLVVOU0VSSUFMSVpFIjt9fQ%3D%3D

== before importEntry ==
[Gadget] __destruct fired with marker='PWNED-FROM-UNSERIALIZE'
PHP Fatal error:  Uncaught Error: Object of class Gadget could not be converted to string ...
[Gadget] __destruct fired with marker='PWNED-FROM-UNSERIALIZE'

The two [Gadget] __destruct fired lines (one from inside the loop, one from the engine shutdown after the TypeError) confirm that the attacker-defined Gadget::__destruct executed -- with the attacker-supplied marker -- inside the unmodified importEntry code path.

End-to-end against a live YesWiki install:

curl -i -b "yeswiki_session=<admin_cookie>" \
     -X POST "https://wiki.example.com/?BazaR&vue=importer&id_typeannonce=1" \
     --data-urlencode \
     "importfiche[0]=YToxOntpOjA7Tzo2OiJHYWRnZXQiOjE6e3M6NjoibWFya2VyIjtzOjIyOiJQV05FRC1GUk9NLVVOU0VSSUFMSVpFIjt9fQ=="

(replace the payload with a real PHPGGC Doctrine/FW1 or Doctrine/RCE1 output to obtain RCE on the target host).

Impact

  • Authenticated wiki admin who lands on attacker-controlled HTML obtains remote code execution on the YesWiki server (via the cross-site forgery path; no admin interaction with the import UI is required).
  • An attacker who has already compromised an admin password upgrades from "wiki content management" to "OS shell on the hosting box".
  • The compromise survives the wiki layer entirely: the attacker can write web shells, exfiltrate other sites on shared hosting, modify wakka.config.php, dump the MySQL database, and pivot from there.

Suggested fix

  1. tools/bazar/services/CSVManager.php::importEntry -- pass ['allowed_classes' => false] to unserialize, or, better, replace the base64+serialize transport with the JSON transport the current UI already uses (?api/entries/{formId} POST in tools/bazar/presentation/javascripts/bazar-import.js). The serialized-PHP transport appears to be an unused legacy path.
  2. tools/bazar/actions/BazarImportAction.php -- add a CsrfTokenController::checkToken('main', 'POST', 'csrf-token', false) guard for the 'importentries' mode (and any other state-changing modes). The existing tools/bazar/controllers/FormController.php pattern can be lifted directly.

AnalysisAI

PHP object injection in YesWiki's BazaR import feature allows an attacker to reach an unsafe unserialize() sink in tools/bazar/services/CSVManager.php, where attacker-supplied base64 data is deserialized without allowed_classes=false, instantiating arbitrary classes and triggering magic methods (__destruct, and __toString via array_map('strval')). Because the importentries mode lacks CSRF protection (the assigned root cause CWE-352), a remote attacker can host an auto-POSTing HTML page that, when visited by a logged-in wiki admin, drives the deserialization using the admin's session - chaining published Doctrine PHPGGC gadgets into remote code execution on the host. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify logged-in wiki admin
Delivery
Deliver auto-POST HTML page
Exploit
Admin browser POSTs base64 PHPGGC payload
Execution
CSRF bypass passes ACL, unserialize instantiates gadget
Persist
Doctrine chain executes system()/file write
Impact
Web shell and host compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires a YesWiki install where the BazaR tool is present (default installs ship the BazaR page and route ?BazaR&vue=importer, so no special page authoring is needed) and an authenticated administrator (or an account added to the bazarimport action ACL, enforced by checkSecuredACL with default $adminOnly=true) who is currently logged in and can be induced to visit an attacker-controlled web page - the missing CSRF token on the importentries mode is the specific enabling condition. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS score or vector was provided by the source (CVSS: N/A), so exploitability metrics are inferred, not authoritative - authentication requirements cannot be confirmed from a vendor-supplied vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts an HTML page that auto-submits a POST containing importfiche[0]=<base64 PHPGGC Doctrine payload> to https://victim-wiki/?BazaR&vue=importer&id_typeannonce=1 and delivers the link to a YesWiki administrator by email or chat. When the logged-in admin opens the page, their session cookie is sent automatically, checkSecuredACL passes, and the unserialize() instantiates the gadget chain, running system()- or file_put_contents()-based code to drop a web shell on the host. …
Remediation Upstream fix available (commit); released patched version not independently confirmed - apply the fix in commit https://github.com/YesWiki/yeswiki/commit/8f70a8d6b8befa0e644d03c785701dbbc55b8fd0 and follow GHSA-9369-69wj-7m2f (https://github.com/YesWiki/yeswiki/security/advisories/GHSA-9369-69wj-7m2f), mapping the commit to its tagged release before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all YesWiki instances and review administrator activity logs; publicly available proof-of-concept code exists for the underlying object-injection vector. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-52777 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy