Tiki Wiki CMS: Remote Code Execution via Calendar Module
Description
Tiki Wiki CMS versions prior to 14.2, 12.5 LTS, 9.11 LTS, and 6.15 contain a remote code execution vulnerability in the Calendar module. This vulnerability allows unauthenticated attackers to execute arbitrary code on the server without requiring valid credentials, making it a critical security risk for any publicly accessible Tiki Wiki installation with the calendar feature enabled.
Remediation
Immediately upgrade Tiki Wiki CMS to a patched version: 14.2 or higher, 12.5 LTS or higher, 9.11 LTS or higher, or 6.15 or higher depending on your current version branch. Follow these steps:
1. Back up your current Tiki Wiki installation and database before upgrading
2. Download the appropriate patched version from the official Tiki Wiki website
3. Follow the official upgrade documentation for your version
4. Verify the calendar module is updated and test functionality after upgrade
If immediate upgrading is not possible, implement these temporary mitigations:
- Disable the calendar feature entirely through the Tiki administration panel (Features > Calendar > Disable)
- If the calendar must remain active, restrict access to authenticated and trusted users only by modifying permission settings
- Monitor server logs for suspicious activity targeting the calendar module
Note that temporary mitigations do not fully resolve the vulnerability and upgrading remains the only complete solution.