CVE-2025-34045

HIGH EXPLOITED NUCLEI

WeiPHP 5.0 - Unauthenticated Path Traversal and Arbitrary File Read via Material Download Endpoint

Title source: llm

Exploitation Summary

CVE-2025-34045 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

A path traversal vulnerability exists in WeiPHP 5.0, an open source WeChat public account platform development framework by Shenzhen Yuanmengyun Technology Co., Ltd. The flaw occurs in the picUrl parameter of the /public/index.php/material/Material/_download_imgage endpoint, where insufficient input validation allows unauthenticated remote attackers to perform directory traversal via crafted POST requests. This enables arbitrary file read on the server, potentially exposing sensitive information such as configuration files and source code. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.

Nuclei Templates (1)

WeiPHP 5.0 - Path Traversal

HIGHby pikpikcu

References (3)

Core 3

Core References

Third Party Advisory third-party-advisory

https://www.cnvd.org.cn/flaw/show/CNVD-2020-68596

Exploit exploit

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cnvd/2020/CNVD-2020-68596.yaml

Exploit, Third Party Advisory third-party-advisory

https://vulncheck.com/advisories/weiphp-path-traversal-file-read

Scores

CVSS v3 7.5

EPSS 0.2809

EPSS Percentile 96.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2025-06-26

CWE

CWE-22

Status published

Products (1)

weiphp/weiphp 5.0

Published Jun 26, 2025

Tracked Since Feb 18, 2026