CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2025-34111 – Tiki Wiki <= 15.1 ELFinder Unauthenticated File Upload RCE
https://notcve.org/view.php?id=CVE-2025-34111
15 Jul 2025 — An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of the web server. The vulnerable component does not enforce file type validation, allowing attackers to craft a POST request to upload executable PHP payloads through the ELFinder interface exposed at /vendor_extra/elfinder/. • https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/tikiwiki_upload_exec.rb • CWE-20: Improper Input Validation CWE-306: Missing Authentication for Critical Function CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 2CVE-2025-34113 – Tiki Wiki CMS Authenticated Command Injection in Calendar Module
https://notcve.org/view.php?id=CVE-2025-34113
15 Jul 2025 — An authenticated command injection vulnerability exists in Tiki Wiki CMS versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar module is enabled and an authenticated user has permission to access it, an attacker can inject and execute arbitrary PHP code. Successful exploitation leads to remote code execution in the context of the web server user. • https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/tiki_calendar_exec.rb • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-306: Missing Authentication for Critical Function •
CVSS: 9.9EPSS: 0%CPEs: 4EXPL: 1CVE-2025-32461 – Tiki Wiki CMS Groupware 28.3 Server-Side Template Injection
https://notcve.org/view.php?id=CVE-2025-32461
09 Apr 2025 — wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before 28.3 mishandles input to an eval. The fixed versions are 21.12, 24.8, 27.2, and 28.3. Tiki Wiki CMS Groupware versions 28.3 and below suffer from two server-side template injection vulnerabilities via specially crafted wiki pages. • https://packetstorm.news/files/id/206161 • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23986 – WordPress Tiki Time theme <= 1.3 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-23986
18 Jan 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fyrewurks Tiki Time allows Reflected XSS.This issue affects Tiki Time: from n/a through 1.3. The Tiki Time theme for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick... • https://patchstack.com/database/wordpress/theme/tiki-time/vulnerability/wordpress-tiki-time-theme-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51506
https://notcve.org/view.php?id=CVE-2024-51506
28 Oct 2024 — Tiki through 27.0 allows users who have certain permissions to insert a "Create a Wiki Pages" stored XSS payload in the description. • https://github.com/r0ck3t1973/xss_payload/issues/8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 1CVE-2023-22850
https://notcve.org/view.php?id=CVE-2023-22850
14 Jan 2023 — Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call. Tiki anterior a 24.1, cuando la función Spreadsheets está habilitada, permite la inyección de objetos PHP lib/sheet/grid.php debido a una llamada de deserialización. • https://karmainsecurity.com/KIS-2023-03 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-22852 – Tiki Wiki CMS Groupware 25.0 Cross Site Request Forgery
https://notcve.org/view.php?id=CVE-2023-22852
10 Jan 2023 — Tiki through 25.0 allows CSRF attacks that are related to tiki-importer.php and tiki-import_sheet.php. Tiki hasta la versión 25.0 permite ataques CSRF relacionados con tiki-importer.php y tiki-import_sheet.php. Tiki Wiki CMS Groupware versions 25.0 and below suffer from multiple cross site request forgery vulnerabilities. • https://packetstorm.news/files/id/170432 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-22853 – Tiki Wiki CMS Groupware 24.0 structlib.php Code Execution
https://notcve.org/view.php?id=CVE-2023-22853
10 Jan 2023 — Tiki before 24.1, when feature_create_webhelp is enabled, allows lib/structures/structlib.php PHP Object Injection because of an eval. Tiki anterior a 24.1, cuando feature_create_webhelp está habilitado, permite la inyección de objetos PHP lib/structures/structlib.php debido a una evaluación. Tiki Wiki CMS Groupware versions 24.0 and below suffer from a PHP code injection vulnerability in structlib.php. • https://packetstorm.news/files/id/170433 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 2CVE-2023-22851 – Tiki Wiki CMS Groupware 24.1 tikiimporter_blog_wordpress.php PHP Object Injection
https://notcve.org/view.php?id=CVE-2023-22851
10 Jan 2023 — Tiki before 24.2 allows lib/importer/tikiimporter_blog_wordpress.php PHP Object Injection by an admin because of an unserialize call. Tiki anterior a 24.2 permite la inyección de objetos PHP lib/importer/tikiimporter_blog_wordpress.php por parte de un administrador debido a una llamada de deseriaización. Tiki Wiki CMS Groupware versions 24.1 and below suffer from a PHP object injection vulnerability in tikiimporter_blog_wordpress.php. • https://packetstorm.news/files/id/170435 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-36551
https://notcve.org/view.php?id=CVE-2021-36551
28 Oct 2021 — TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-calendar.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Add Event module. Se ha detectado que TikiWiki versión v21.4 contiene una vulnerabilidad de tipo cross-site scripting (XSS) en el componente tiki-calendar.php. Esta vulnerabilidad permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de una carga útil diseñada en el ... • https://github.com/r0ck3t1973/xss_payload/issues/7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •