YesWiki is a wiki system written in PHP. Prior to version 4.6.6, an unsafe execution vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki. The application attempts to sanitize user-defined mathematical formulas using a complex recursive regular expression before passing them to the PHP eval() function. This implementation is inherently flawed: it is vulnerable to Regular Expression Denial of Service (ReDoS / Stack Overflow) which can crash the server, and it creates a high-risk architecture where any logic bypass directly results in arbitrary PHP code execution. Version 4.6.6 patches the issue.
The application attempts to sanitize user-defined mathematical formulas using a complex recursive regular expression, then passes them to the PHP eval() function. The applied regular expression is vulnerable to ReDoS (Regular Expression Denial of Service), which can lead to stack overflow and server failure. At the same time, the architecture based on eval() means that any bypass of the sanitization logic results in direct execution of arbitrary PHP code by the attacker.
An unauthenticated attacker can remotely execute arbitrary PHP code on the server (RCE) or cause its unavailability through a ReDoS attack causing process failure.
YesWiki should be updated to version 4.6.6, which contains a patch eliminating the vulnerability. The patch is available in the project's GitHub repository (commit dd2bd8fb099de0d21504bda8a810693b3fcb8e52) and as an official v4.6.6 release.
YesWiki in all versions prior to 4.6.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H