CVE-2025-34045

HIGH EXPLOITED NUCLEI

WeiPHP 5.0 - Path Traversal

Title source: llm

Description

A path traversal vulnerability exists in WeiPHP 5.0, an open source WeChat public account platform development framework by Shenzhen Yuanmengyun Technology Co., Ltd. The flaw occurs in the picUrl parameter of the /public/index.php/material/Material/_download_imgage endpoint, where insufficient input validation allows unauthenticated remote attackers to perform directory traversal via crafted POST requests. This enables arbitrary file read on the server, potentially exposing sensitive information such as configuration files and source code. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.

Nuclei Templates (1)

WeiPHP 5.0 - Path Traversal

HIGHby pikpikcu

References (3)

[Exploit] https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cnvd/2020/CNVD-2020-68596.yaml

[Exploit, Third Party Advisory] https://vulncheck.com/advisories/weiphp-path-traversal-file-read

[Third Party Advisory] https://www.cnvd.org.cn/flaw/show/CNVD-2020-68596

Scores

CVSS v3 7.5

EPSS 0.2764

EPSS Percentile 96.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2025-06-26

CWE

CWE-22

Status published

Products (1)

weiphp/weiphp 5.0

Published Jun 26, 2025

Tracked Since Feb 18, 2026