Primary

Context

Tiki Wiki CMS Groupware Eval Injection Vulnerability in Wiki Plugin Include Template

Vulnerability

Patched

A vulnerability allowing eval injection has been identified in Tiki Wiki CMS Groupware versions prior to 28.3. The issue arises in the 'wikiplugin_includetpl' function within the 'wikiplugin_includetpl.php' file, where input is improperly sanitized before being evaluated. This flaw could be exploited by manipulating the 'filename' parameter to execute arbitrary PHP code.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where Tiki is hosted.

Reproduction

To reproduce this vulnerability, use the 'wikiplugin_includetpl' function in a Tiki Wiki page or template. Pass a crafted 'filename' parameter that includes malicious PHP code. The lack of proper sanitization will allow the injected code to be executed on the server.

Remediation

Users are advised to upgrade to Tiki versions 21.12, 24.8, 27.2, or 28.3.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

10.0

exploitability

6.2

remediation

7.7

relevance

0.0

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

10.0

exploitability

6.2

remediation

7.7

relevance

0.0

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tiki Wiki CMS Groupware Eval Injection Vulnerability in Wiki Plugin Include Template

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Tiki

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating