Multiple flaws in WikkaWiki allow an attacker to launch XSS attack, steal information. manipulate data and compromise user’s system.
The application allows user to perform certain actions via HTTP requests without performing validity check of this requests.
Input data passed via „file“ parameter to wikka.php are not verified before being used to delete files. It allows attacker to delete arbitrary files.
Input data passed via „default_comment_display“ parameter are not sanitized before being used in SQL requests, that allows to launch SQL injection attack.
Input data passed via „User-Agent“ header to wikka.php are not properly verified before being written to a file. A cybercriminal may launch arbitrary PHP code.
Flaws were found in version 1.3.2. Other versions can be vulnerable also.

Source: Secunia
05.12.2011