cbcvebase.
CVE-2025-34045
published 2025-06-26

CVE-2025-34045: A path traversal vulnerability exists in WeiPHP 5.0, an open source WeChat public account platform development framework by Shenzhen Yuanmengyun Technology…

PriorityP180high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.31%
89.9th percentile
A path traversal vulnerability exists in WeiPHP 5.0, an open source WeChat public account platform development framework by Shenzhen Yuanmengyun Technology Co., Ltd. The flaw occurs in the picUrl parameter of the /public/index.php/material/Material/_download_imgage endpoint, where insufficient input validation allows unauthenticated remote attackers to perform directory traversal via crafted POST requests. This enables arbitrary file read on the server, potentially exposing sensitive information such as configuration files and source code. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.

Affected

2 ranges
VendorProductVersion rangeFixed in
shenzhen_yuanmengyun_technology_co_ltdweiphp
weiphpweiphp

Detection & IOCsextracted from sources · hover to see the quote

url/public/index.php/material/Material/_download_imgage
path./../config/database.php
url/public/index.php/home/file/user_pics
path/public/uploads/picture/
  • Detect exploitation attempts by monitoring POST requests to /public/index.php/material/Material/_download_imgage with a picUrl parameter containing path traversal sequences (e.g., ../ or ./../).
  • Alert on POST requests to the _download_imgage endpoint where picUrl references sensitive files such as config/database.php, which would expose database credentials.
  • Successful exploitation can be confirmed by the presence of 'DB_PREFIX' in HTTP response bodies from the _download_imgage endpoint, indicating a database configuration file was read.
  • Monitor for a two-stage exploitation pattern: an initial POST to _download_imgage followed by a GET to /public/index.php/home/file/user_pics and then retrieval of a file from /public/uploads/picture/.
  • Exploitation of this CVE was observed in the wild by the Shadowserver Foundation on 2025-02-05 UTC; treat any matching traffic from that date onward as high-priority.
  • ·The vulnerability is unauthenticated — no session token or credentials are required to exploit it, meaning perimeter authentication controls alone are insufficient.
  • ·The picUrl parameter is supplied as a query-string argument on a POST request, so WAF rules must inspect the URL query string of POST requests, not just the request body.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.