A highly critical flaw was discovered in PmWiki 2.x. It allows attacker to compromise user’s system. Input data passed via „order“ argument are not verified before being used in „create_function()“ call in scripts/pagelist.php. An attacker can exploit the vulnerability to inject and execute arbitrary PHP code.
The flaw was confirmed in version 2.2.34. Prior versions may be affected also.
Users should upgrade to 2.2.35.

Source: Secunia
25.11.2011