WeiPHP v5.0 and before is vulnerable to SQL Injection via the SucaiController.class.php file and the cancelTemplatee
CVSS Score
8.4
EPSS Score
0.0
Published
2025-09-08
A path traversal vulnerability exists in WeiPHP 5.0, an open source WeChat public account platform development framework by Shenzhen Yuanmengyun Technology Co., Ltd. The flaw occurs in the picUrl parameter of the /public/index.php/material/Material/_download_imgage endpoint, where insufficient input validation allows unauthenticated remote attackers to perform directory traversal via crafted POST requests. This enables arbitrary file read on the server, potentially exposing sensitive information such as configuration files and source code. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.
CVSS Score
7.5
EPSS Score
0.207
Published
2025-06-26
WeiPHP 5.0 does not properly restrict access to pages, related to using POST.
CVSS Score
7.5
EPSS Score
0.006
Published
2020-12-18
SQL injection vulnerability in the wp_where function in WeiPHP 5.0.
CVSS Score
9.8
EPSS Score
0.571
Published
2020-12-18