CVE-2025-11138
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-29

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in mirweiye wenkucms up to 3.4. This impacts the function createPathOne of the file app/common/common.php. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-29
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-09-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11138
EUVD
EUVD-2025-31491
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wenkucms_project wenkucms 3.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-11138 is an OS command injection vulnerability in mirweiye wenkucms versions up to 3.4, specifically in the createPathOne function in app/common/common.php. It occurs because user-controlled input is improperly handled and directly used in OS command construction without proper sanitization, allowing remote attackers to execute arbitrary system commands. The vulnerability can be exploited remotely, and a public proof-of-concept exploit exists. In particular, an authenticated administrator can inject malicious commands via the wkcms_attach_path configuration, leading to remote code execution. [1, 2]

Impact Analysis

This vulnerability can lead to remote code execution on the affected system, allowing attackers to execute arbitrary OS commands. This can compromise the confidentiality, integrity, and availability of the system. An attacker could gain unauthorized access, execute malicious commands, and potentially take full control of the server running wenkucms. The exploit requires administrator access but can be triggered remotely, making it a serious security risk. [1, 2]

Detection Guidance

This vulnerability can be detected by searching for the presence of the vulnerable file and function usage, such as using Google dorking with the query inurl:app/common/common.php to identify exposed instances. On your system, you can check if the affected software (wenkucms versions up to 3.4) is installed and if the vulnerable function createPathOne in app/common/common.php is present. Additionally, monitoring for unusual system calls or network connections, such as unexpected reverse shell connections on uncommon ports (e.g., port 2333 as used in the PoC), may indicate exploitation attempts. Specific commands to detect the vulnerability or exploitation attempts include: 1) Searching for the vulnerable file: `find /path/to/webroot -name common.php` and inspecting the createPathOne function; 2) Using network monitoring tools like `netstat -anp | grep 2333` to detect suspicious connections; 3) Checking web server logs for requests to the cropImg functionality or admin backend changes to wkcms_attach_path. However, no direct detection commands or signatures are documented. [1, 2]

Mitigation Strategies

Immediate mitigation steps include: 1) Restricting or disabling access to the admin backend to prevent attackers from modifying the wkcms_attach_path configuration; 2) Removing or replacing the vulnerable software (wenkucms versions up to 3.4) with a secure alternative, as no known mitigations or patches are documented; 3) Monitoring and blocking suspicious network activity, especially outgoing connections to unknown hosts or ports; 4) Applying strict input validation and sanitization if possible, although this requires code changes. Since the vulnerability requires administrator access for exploitation, securing admin credentials and enforcing strong authentication is critical. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11138. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart