Hack Attack: PKP-WAL Vulnerability Opens Door to LESS Code Injection Mayhem!

The PKP-WAL getBaseUrl() method is vulnerable to unauthenticated attackers via the X-Forwarded-Host header, leading to LESS Code Injection attacks. To exploit this, the allowed_hosts setting must be blank. No official fix yet, but watch out if you like your code injection with a side of chaos!

1P
Published: December 28, 2025 5:53 amAdded: December 27, 2025 at 10:17 pmAssembled by: The Editor
Pro Dashboard

Hot Take:

Well folks, it looks like the PKP-WAL has found itself in a bit of a pickle, and it’s not the kind you’d want with your sandwich. Unauthenticated attackers can apparently sweet-talk the system with the X-Forwarded-Host HTTP header and get it to serve up a side of LESS code injection. Talk about being a bad host!

Key Points:

  • PKP-WAL’s getBaseUrl() method can be manipulated via the X-Forwarded-Host HTTP header.
  • This vulnerability allows for LESS code injection, potentially leading to SSRF or Local File Read attacks.
  • The vulnerability is exploitable when the allowed_hosts setting is empty in the config.inc.php script.
  • No official solution available, but a related GitHub issue might offer a workaround.
  • Vulnerability identified as CVE-2025-67891 and discovered by Egidio Romano.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?