WeiPHP Path Traversal Vulnerability Allowing Arbitrary File Read

Vulnerability

A path traversal vulnerability has been identified in WeiPHP version 5.0, a development framework for WeChat public accounts created by Shenzhen Yuanmengyun Technology Co., Ltd. The vulnerability arises in the picUrl parameter of the /public/index.php/material/Material/_download_imgage endpoint. Due to inadequate input validation, unauthenticated remote attackers can exploit this flaw by sending crafted POST requests that perform directory traversal. This exploitation allows for arbitrary file reading on the server, potentially disclosing sensitive information such as configuration files and source code.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server, including configuration files and source code, which could be misused for further attacks or to compromise the application.

Added: Jun 26, 2025, 6:06 PM

Updated: Jun 26, 2025, 6:06 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

0.2

threat

0.6

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

0.2

threat

0.6

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WeiPHP Path Traversal Vulnerability Allowing Arbitrary File Read

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating