CVE-2025-34111

CRITICAL

Tikiwiki Cms/groupware < 15.1 - Missing Authentication

Title source: rule

Description

An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of the web server. The vulnerable component does not enforce file type validation, allowing attackers to craft a POST request to upload executable PHP payloads through the ELFinder interface exposed at /vendor_extra/elfinder/.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Mehmet Ince · rubywebappsphp

https://www.exploit-db.com/exploits/40091

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Mehmet Ince <[email protected]> · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/tikiwiki_upload_exec.rb

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory] https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/tikiwiki_upload_exec.rb

[Release Notes] https://tiki.org/article434-Security-update-Tiki-15-2-Tiki-14-4-and-Tiki-12-9-released

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/40091

[Third Party Advisory] https://www.vulncheck.com/advisories/tiki-wiki-el-finder-unauthenticated-file-upload-rce

Scores

CVSS v3 9.8

EPSS 0.7369

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-306 CWE-20 CWE-434

Status published

Products (2)

tiki/tikiwiki_cms\/groupware < 15.1

Tiki Software Community Association/Wiki CMS Groupware < 15.1

Published Jul 15, 2025

Tracked Since Feb 18, 2026