GHSA-6x7x-gcmf-7r8x: YesWiki vulnerable to unauthenticated arbitrary page deletion via `{{erasespamedcomments}}` action
Summary
The {{erasespamedcomments}} wiki action (actions/EraseSpamedCommentsAction.php) accepts a suppr[] array from POST and deletes every wiki page whose tag appears in that array, with no authorization check anywhere in the action body or in the page-deletion path it invokes. Combined with YesWiki's allow-by-default action ACL model, any user who has page write access, which is the default for everyone (default_write_acl='*') on a fresh install can permanently delete arbitrary wiki pages, including the front page, admin pages, and pages owned by other users.
The action's delete() callee is PageManager::deleteOrphaned(), which despite its name does not check whether the target page is orphaned: it issues an unconditional DELETE against pages, links, acls, triples, referrers, and tags tables.
Details
Three issues compose the vulnerability.
1. actions/EraseSpamedCommentsAction.php performs no authorization check before processing $_POST['clean'] / $_POST['suppr'][] in actions/EraseSpamedCommentsAction.php:
public function run()
{
$wiki = &$this->wiki;
ob_start();
// ...
elseif (isset($_POST['clean'])) {
$deletedPages = '';
if (!empty($_POST['suppr'])) {
foreach ($_POST['suppr'] as $page) {
echo 'Effacement de : ' . $page . "<br />\n";
if ($wiki->services->get(PageController::class)->delete($page)) {
$deletedPages .= $page . ', ';
}
}
}
}
}
No UserIsAdmin(), no UserIsOwner(), no HasAccess('write', $page) per-target check, no CSRF token check.
2. The default action ACL grants access to everyone in includes/YesWiki.php:
$acl = empty($this->config['permissions'][$moduleType][$module])
? '*'
: $this->config['permissions'][$moduleType][$module];
if ($acl === null) { return true; }
return $this->CheckACL($acl, $user);
No shipped permissions map gates erasespamedcomments to admins, so Performer::CheckModuleACL('erasespamedcomments', 'action') returns true for anonymous users.
3. PageController::delete() and PageManager::deleteOrphaned() perform no authorization
Details
Original advisory: https://github.com/advisories/GHSA-6x7x-gcmf-7r8x
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-52766 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10