CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-6x7x-gcmf-7r8x: YesWiki vulnerable to unauthenticated arbitrary page deletion via `{{erasespamedcomments}}` action

criticalCVSS 9.1CVE-2026-52766
Summary The {{erasespamedcomments}} wiki action (actions/EraseSpamedCommentsAction.php) accepts a suppr[] array from POST and deletes every wiki page whose tag appears in that array, with no authorization check anywhere in the action body or in the page-deletion path it invokes. Combined with YesWiki's allow-by-default action ACL model, any user who has page write access, which is the default for everyone (default_write_acl='*') on a fresh install can permanently delete arbitrary wiki pages, including the front page, admin pages, and pages owned by other users. The action's delete() callee is PageManager::deleteOrphaned(), which despite its name does not check whether the target page is orphaned: it issues an unconditional DELETE against pages, links, acls, triples, referrers, and tags tables. Details Three issues compose the vulnerability. 1. actions/EraseSpamedCommentsAction.php performs no authorization check before processing $_POST['clean'] / $_POST['suppr'][] in actions/EraseSpamedCommentsAction.php: public function run() { $wiki = &$this->wiki; ob_start(); // ... elseif (isset($_POST['clean'])) { $deletedPages = ''; if (!empty($_POST['suppr'])) { foreach ($_POST['suppr'] as $page) { echo 'Effacement de : ' . $page . "<br />\n"; if ($wiki->services->get(PageController::class)->delete($page)) { $deletedPages .= $page . ', '; } } } } } No UserIsAdmin(), no UserIsOwner(), no HasAccess('write', $page) per-target check, no CSRF token check. 2. The default action ACL grants access to everyone in includes/YesWiki.php: $acl = empty($this->config['permissions'][$moduleType][$module]) ? '*' : $this->config['permissions'][$moduleType][$module]; if ($acl === null) { return true; } return $this->CheckACL($acl, $user); No shipped permissions map gates erasespamedcomments to admins, so Performer::CheckModuleACL('erasespamedcomments', 'action') returns true for anonymous users. 3. PageController::delete() and PageManager::deleteOrphaned() perform no authorization

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
critical — CVSS 9.1
Published
2026-07-09
Last updated
2026-07-09
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-6x7x-gcmf-7r8x

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-52766coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories