CVE-2025-34111
published 2025-07-15CVE-2025-34111: An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default…
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.52%
71.4th percentile
An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of the web server. The vulnerable component does not enforce file type validation, allowing attackers to craft a POST request to upload executable PHP payloads through the ELFinder interface exposed at /vendor_extra/elfinder/.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tiki | tikiwiki_cms_groupware | <= 15.1 | — |
| tiki_software_community_association | wiki_cms_groupware | <= 15.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated HTTP POST requests targeting the ELFinder connector path /vendor_extra/elfinder/connector.minimal.php, which is the vulnerable upload endpoint. ↗
- →Alert on PHP file uploads (e.g., .php extension) submitted via multipart POST to the ELFinder connector; the component performs no file extension or content-type validation. ↗
- →Detect subsequent HTTP GET/POST requests to uploaded PHP webshells within the ELFinder-managed upload directories, indicating post-upload execution attempts. ↗
- →Flag unauthenticated sessions (no valid session cookie/token) issuing file upload operations to the ELFinder connector, as exploitation requires no authentication. ↗
- ·The vulnerable connector (connector.minimal.php) enforces no file type validation by default; any deployment that has not removed or restricted this file remains exploitable by unauthenticated attackers. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/tikiwiki_upload_exec.rbhttps://tiki.org/article434-Security-update-Tiki-15-2-Tiki-14-4-and-Tiki-12-9-releasedhttps://www.exploit-db.com/exploits/40091https://www.vulncheck.com/advisories/tiki-wiki-el-finder-unauthenticated-file-upload-rce
2025-07-15
Published