CVE-2025-11138
BaseFortify
Publication date: 2025-09-29
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wenkucms_project | wenkucms | 3.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11138 is an OS command injection vulnerability in mirweiye wenkucms versions up to 3.4, specifically in the createPathOne function in app/common/common.php. It occurs because user-controlled input is improperly handled and directly used in OS command construction without proper sanitization, allowing remote attackers to execute arbitrary system commands. The vulnerability can be exploited remotely, and a public proof-of-concept exploit exists. In particular, an authenticated administrator can inject malicious commands via the wkcms_attach_path configuration, leading to remote code execution. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution on the affected system, allowing attackers to execute arbitrary OS commands. This can compromise the confidentiality, integrity, and availability of the system. An attacker could gain unauthorized access, execute malicious commands, and potentially take full control of the server running wenkucms. The exploit requires administrator access but can be triggered remotely, making it a serious security risk. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by searching for the presence of the vulnerable file and function usage, such as using Google dorking with the query inurl:app/common/common.php to identify exposed instances. On your system, you can check if the affected software (wenkucms versions up to 3.4) is installed and if the vulnerable function createPathOne in app/common/common.php is present. Additionally, monitoring for unusual system calls or network connections, such as unexpected reverse shell connections on uncommon ports (e.g., port 2333 as used in the PoC), may indicate exploitation attempts. Specific commands to detect the vulnerability or exploitation attempts include: 1) Searching for the vulnerable file: `find /path/to/webroot -name common.php` and inspecting the createPathOne function; 2) Using network monitoring tools like `netstat -anp | grep 2333` to detect suspicious connections; 3) Checking web server logs for requests to the cropImg functionality or admin backend changes to wkcms_attach_path. However, no direct detection commands or signatures are documented. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restricting or disabling access to the admin backend to prevent attackers from modifying the wkcms_attach_path configuration; 2) Removing or replacing the vulnerable software (wenkucms versions up to 3.4) with a secure alternative, as no known mitigations or patches are documented; 3) Monitoring and blocking suspicious network activity, especially outgoing connections to unknown hosts or ports; 4) Applying strict input validation and sanitization if possible, although this requires code changes. Since the vulnerability requires administrator access for exploitation, securing admin credentials and enforcing strong authentication is critical. [1, 2]