CVE-2025-32461

CVE-2025-32461: Tiki Wikiplugin Includetpl Remote Code Execution

Description:

The wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before versions 21.12, 24.8, 27.2, and 28.3 mishandles input, leading to arbitrary code execution through the use of the eval function. Unsanitized user-supplied input passed to the includetpl plugin is evaluated as PHP code.

Severity:

  • CVSS Score: 9.9 (Critical)
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Known Exploit:

The vulnerability is exploitable by crafting a malicious includetpl plugin call with injected PHP code within the Tiki wiki. An attacker can inject arbitrary PHP code that the server will execute, potentially leading to complete server compromise.

Remediation/Mitigation Strategy:

  1. Immediate Upgrade: Upgrade Tiki to version 21.12, 24.8, 27.2, or 28.3 or later. These versions contain the fix for this vulnerability. This is the primary and most effective solution.
  2. Disable the includetpl Plugin (Temporary Mitigation): If an immediate upgrade is not feasible, disable the includetpl plugin until an upgrade can be performed. This will prevent exploitation via this specific attack vector, but may impact wiki functionality. The process to disable the plugin will depend on the Tiki installation and configuration, but typically involves accessing the Tiki administration panel and disabling the plugin.
  3. Web Application Firewall (WAF) Rules: Implement WAF rules to filter requests containing potentially malicious code targeting the wikiplugin_includetpl. Specifically, look for requests containing PHP code snippets or attempts to escape the intended input context. This provides a layer of defence but is not a replacement for patching, as WAF rules can be bypassed.
  4. Input Validation (If Applicable): If custom code utilizes the includetpl plugin, carefully review and sanitize all user-provided input before it is passed to the plugin. However, given the use of eval, proper sanitization can be difficult and unreliable. This is a supplemental measure and not a replacement for upgrading or disabling the plugin. Consider removing eval or using a more secure template engine.
  5. Access Control: Restrict access to the Tiki administration panel to authorized personnel only. This reduces the risk of malicious modifications to the wiki’s configuration or content.
  6. Regular Security Audits: Conduct regular security audits of the Tiki installation, including code review and vulnerability scanning, to identify and address potential vulnerabilities.
  7. Monitor Logs: Enable and monitor Tiki’s logs for suspicious activity, such as attempts to exploit the includetpl vulnerability. Look for errors related to the plugin or unusual patterns in user input.

Assigner

Date

  • Published Date: 2025-04-09 02:15:16
  • Updated Date: 2025-04-09 20:02:42

More Details

CVE-2025-32461