PT SWARM researcher Evgeny Kopytin discovered four vulnerabilities in Foswiki, a widely used open-source wiki collaboration platform. Organizations around the world rely on Foswiki for internal knowledge bases, project management, and collaborative document editing in a web browser. The security flaws could enable attackers to steal sensitive information, take over accounts of employees and administrators, and even gain full control over corporate servers. Affected are wiki engine versions 2.1.9 and earlier, as well as the bundled MentionsPlugin version 1.0 component. The findings were disclosed responsibly to the Foswiki project team, and patched software releases are already available.
The most severe of these issues is an SQL injection1 vulnerability affecting MentionsPlugin, the component that handles user mentions in Foswiki articles. Tracked as PT-2025-545632 (BDU: 2025-11650), this vulnerability received a CVSS 4.0 score of 7.2. Before the fix, the plugin did not properly sanitize user input, allowing an attacker with regular user privileges to insert arbitrary SQL commands into the platform's database. In a theoretical attack scenario, successful exploitation could result in remote code execution (RCE) on the target server. Such an outcome would mean complete control over the system, providing an opportunity for data theft, malware deployment, or lateral movement to other assets within the internal corporate network.
The second security flaw, designated PT-2025-54564 (CVE-2025-unassigned-1; BDU: 2025-11652), is a stored cross-site scripting (stored XSS3) vulnerability rated as medium severity with a CVSS 4.0 score of 6.1. A potential attacker could upload a file attachment to a Foswiki page with a description containing a malicious script. This script would then be triggered whenever the management interface was accessed. For instance, if an administrator later attempted to delete that specific attached object, the malicious code would execute, potentially allowing the attacker to compromise the administrator's account and assume their privileges.
The third flaw, identified as PT-2025-54565 (CVE-2025-unassigned-3; BDU: 2025‑11654) is a reflected cross-site scripting (reflected XSS4) vulnerability located within the pages that display article revision histories and Foswiki settings. In contrast to the other issues, exploiting this weakness does not require credentials. An attacker could simply create a phishing URL with embedded malicious code and persuade any authenticated user to follow the link. When the page renders, the victim's browser would execute the injected script, enabling the attacker to conduct unauthorized actions using the victim's session and privileges.
An issue involving content spoofing5, designated PT-2025-54566 (BDU: 2025-11655; CVSS 4.0 score of 5.1), was discovered in the password recovery process. Successful exploitation of this flaw would allow an attacker to modify the body of the automated email notification sent by the Foswiki platform to a user. In a probable attack scenario, the attacker would add instructions to the message prompting the recipient to navigate to a third-party site and provide their valid username and password. This approach would enable the attacker to directly harvest employee login credentials.
1 SQL injection is a type of cyberattack where a malicious actor inserts unauthorized commands into an application's database query. This technique can be used to read, alter, or delete sensitive data. Under certain conditions, it may enable the attacker to seize control of the underlying server.
2 The vulnerabilities have been registered on the dbugs portal, which aggregates data on vulnerabilities in software and hardware from vendors around the world.
3 Stored cross-site scripting (stored XSS) is a security weakness that permits a malicious script to be permanently stored on a server, such as inside a comment field or an uploaded file. This script then executes automatically in the victim's browser whenever the affected page is accessed. A successful attack can result in session hijacking and credential theft.
4 Reflected cross-site scripting (reflected XSS) is a security flaw where a malicious script is returned by a web server as part of a response to a specially crafted request, for instance via a phishing URL. The script then runs within the victim's browser, which can enable the attacker to seize control of the user's active session.
5 Content spoofing is an attack method that enables an attacker to modify application-generated content, such as the body text of an automated service email, without breaking the application's intended operation. The objective is to mislead the user into accepting counterfeit information as legitimate and subsequently taking harmful actions.
"A particular concern regarding these vulnerabilities is that they could be linked together to build a full attack chain. Theoretically, a malicious actor could achieve initial access, then elevate their privileges, and eventually take full control of the server."
Evgeny KopytinWeb Application Security Specialist at Positive Technologies
To remediate the SQL injection flaw in MentionsPlugin, an update to version 1.30 is required. Remediating the other three vulnerabilities requires upgrading the Foswiki core system to version 2.1.11 or later. If an upgrade is not immediately possible, Positive Technologies advises disabling the vulnerable plugin and the password recovery feature. For defense against XSS-based attacks, organizations may install the SecurityHeadersPlugin extension or manually implement a strict content security policy, a browser security standard that limits the allowed origins for loading scripts and other resources when accessing a website. Furthermore, it is essential to audit and tighten the security configuration of the underlying database management system to reduce the potential impact of any future incidents.
Web application firewalls such as PT Application Firewall, along with code security analysis tools such as PT Application Inspector, can help identify similar flaws and prevent their exploitation. Advanced NTA and NDR solutions, including PT Network Attack Discovery (PT NAD), similarly detect attempts to exploit these vulnerabilities, while NGFW products such as PT NGFW provide the additional capability of blocking such attacks outright. To avoid similar incidents, companies should also deploy network sandboxes, such as PT Sandbox, which analyze files submitted by other security tools and uncover malware. Additionally, the use of EDR solutions, including MaxPatrol EDR, is recommended. These tools identify malicious activity and halt the progression of an attack.
For up-to-date security information, visit the dbugs portal, which aggregates vulnerability data and vendor recommendations for software and hardware from vendors around the world.