CVE-2024-58305
Cross-Site Scripting in WonderCMS Module Installation Enables Remote Code Execution
Publication date: 2025-12-12
Last updated on: 2025-12-12
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wondercms | wondercms | 4.3.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious HTTP requests to the WonderCMS module installation endpoint that contain unusual or malicious JavaScript payloads. One practical approach is to look for GET requests that attempt to install modules from external sources or contain suspicious parameters. Additionally, you can check for unexpected files such as 'rev.php' in the themes directory, which may indicate a reverse shell installation. To detect active exploitation, you can use network monitoring tools to identify connections to unusual ports or IP addresses initiated by the server. For example, starting a netcat listener on a port and checking for incoming reverse shell connections can help confirm exploitation attempts. Specific commands include: 1) Using curl or wget to test the module installation endpoint for injection points; 2) Using netstat or ss to detect unusual outbound connections; 3) Using find or ls commands on the server to look for unexpected PHP files like 'rev.php'. The exploit script referenced in Resource 1 automates these steps and demonstrates how the attack is performed, which can guide detection efforts. [1]
Can you explain this vulnerability to me?
This vulnerability in WonderCMS 4.3.2 is a cross-site scripting (XSS) flaw that allows attackers to inject malicious JavaScript code through the module installation endpoint. By crafting a special XSS payload, an attacker can trick an authenticated administrator into clicking a malicious link, which then installs a reverse shell module and enables the attacker to execute remote commands on the system.
How can this vulnerability impact me? :
The vulnerability can lead to severe impacts including unauthorized remote command execution on the affected system. This means attackers can gain control over the server running WonderCMS by installing a reverse shell, potentially leading to data theft, system compromise, and further exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restrict access to the WonderCMS administration interface to trusted IP addresses or VPNs to reduce the risk of an attacker tricking an authenticated admin; 2) Educate administrators to avoid clicking on suspicious or untrusted links that could trigger the XSS payload; 3) Monitor and audit the module installation endpoint for unauthorized or suspicious activity; 4) Remove any suspicious or unknown modules or files such as reverse shell scripts (e.g., 'rev.php') from the server; 5) Apply any available patches or updates from the WonderCMS project once released; 6) Consider temporarily disabling the module installation feature if possible until a fix is applied. Since the vulnerability requires an authenticated admin to be tricked, strengthening authentication and user awareness is critical. [2]