Sign In
Advisories

WonderCMS 4.3.2 Cross-Site Scripting Remote Code Execution via Module Installation

Go Back
severity
high
date
Affecting

  • WonderCMS 4.3.2

CWE
  • CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS
8.6
CVSS V4 Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Credit
prodigiousMind
Description
WonderCMS 4.3.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious JavaScript through the module installation endpoint. Attackers can craft a specially designed XSS payload to install a reverse shell module and execute remote commands by tricking an authenticated administrator into accessing a malicious link.