CVE-2025-7887
BaseFortify
Publication date: 2025-07-20
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wikidocs | wikidocs | to 1.0.78 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7887 is a reflected Cross-Site Scripting (XSS) vulnerability in Zavy86 WikiDocs up to version 1.0.78. It occurs because the application fails to properly HTML-escape user-supplied input in the URL path, specifically in the file template.inc.php. This allows attackers to inject and execute arbitrary JavaScript code in the victim's browser when they visit a crafted URL. The root cause is the lack of proper neutralization of the 'path' argument before it is included in the web page output. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary scripts in the context of a victim's browser without requiring authentication. Successful exploitation requires the victim to interact with a maliciously crafted URL. The impact includes potential session hijacking, theft of sensitive information, or other malicious actions performed via the injected scripts, compromising the integrity of the application and the security of its users. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the WikiDocs application for reflected XSS in the URL path parameter. You can reproduce the issue by accessing URLs with injected script payloads such as `http://your-wikidocs-host/"> <script>alert(42)</script>` or `http://your-wikidocs-host/%22%3E%3Cscript%3Ealert(1)%3C/script%3E`. Running the WikiDocs Docker container (`docker run -d -p 80:80 zavy86/wikidocs`) allows you to test locally. Additionally, you can use Google dorking with queries like `inurl:template.inc.php` to find vulnerable instances. Monitoring HTTP requests for suspicious URL paths containing script tags or encoded payloads can also help detect exploitation attempts. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves preventing the execution of injected scripts by ensuring proper HTML escaping of the 'path' parameter in the application code. Specifically, applying functions like `htmlspecialchars($path, ENT_QUOTES, 'UTF-8')` to neutralize any injected markup is recommended. If you cannot patch the application immediately, consider restricting access to the vulnerable WikiDocs instance, disabling it temporarily, or replacing it with an alternative product. Since no official mitigations are documented, upgrading beyond version 1.0.78 or applying custom patches to fix the escaping issue is advised. [1, 2, 3]