VYPR

Wondercms

by WonderCMS

Source repositories

CVEs (36)

  • CVE-2014-8705CriMar 17, 2017
    risk 0.64cvss 9.8epss 0.01

    PHP remote file inclusion vulnerability in editInplace.php in Wonder CMS 2014 allows remote attackers to execute arbitrary PHP code via a URL in the hook parameter.

  • CVE-2014-8704CriMar 17, 2017
    risk 0.64cvss 9.8epss 0.02

    Directory traversal vulnerability in index.php in Wonder CMS 2014 allows remote attackers to include and execute arbitrary local files via a crafted theme.

  • CVE-2017-14521HigJan 26, 2018
    risk 0.61cvss 8.8epss 0.07

    In WonderCMS 2.3.1, the upload functionality accepts random application extensions and leads to malicious File Upload.

  • CVE-2024-58305HigDec 12, 2025
    risk 0.57cvss 8.8epss 0.00

    WonderCMS 4.3.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious JavaScript through the module installation endpoint. Attackers can craft a specially designed XSS payload to install a reverse shell module and execute remote commands by…

  • CVE-2017-7951HigApr 21, 2017
    risk 0.57cvss 8.8epss 0.01

    WonderCMS before 2.0.3 has CSRF because of lack of a token in an unspecified context.

  • CVE-2017-14523HigJan 26, 2018
    risk 0.52cvss 7.5epss 0.08

    WonderCMS 2.3.1 is vulnerable to an HTTP Host header injection attack. It uses user-entered values to redirect pages. NOTE: the vendor reports that exploitation is unlikely because the attack can only come from a local machine or from the administrator as a self attack

  • CVE-2018-14387HigJul 18, 2018
    risk 0.50cvss 8.8epss 0.02

    An issue was discovered in WonderCMS before 2.5.2. An attacker can create a new session on a web application and record the associated session identifier. The attacker then causes the victim to authenticate against the server using the same session identifier. The attacker can…

  • CVE-2014-8701HigMar 17, 2017
    risk 0.49cvss 7.5epss 0.01

    Wonder CMS 2014 allows remote attackers to obtain sensitive information by viewing /files/password, which reveals the unsalted MD5 hashed password.

  • CVE-2017-14522MedJan 26, 2018
    risk 0.40cvss 6.1epss 0.01

    In WonderCMS 2.3.1, the application's input fields accept arbitrary user input resulting in execution of malicious JavaScript. NOTE: the vendor disputes this issue stating that this is a feature that enables only a logged in administrator to write execute JavaScript anywhere on…

  • CVE-2014-8703MedMar 17, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in Wonder CMS 2014 allows remote attackers to inject arbitrary web script or HTML.

  • CVE-2014-8702MedMar 17, 2017
    risk 0.35cvss 5.3epss 0.01

    Wonder CMS 2014 allows remote attackers to obtain sensitive information by logging into the application with an array for the password, which reveals the installation path in an error message.

  • CVE-2023-41425Nov 7, 2023
    risk 0.10cvss epss 0.54

    Cross Site Scripting vulnerability in Wonder CMS v.3.2.0 thru v.3.4.2 allows a remote attacker to execute arbitrary code via a crafted script uploaded to the installModule component.

  • CVE-2020-35314Apr 20, 2021
    risk 0.06cvss epss 0.27

    A remote code execution vulnerability in the installUpdateThemePluginAction function in index.php in WonderCMS 3.1.3, allows remote attackers to upload a custom plugin which can contain arbitrary code and obtain a webshell via the theme/plugin installer.

  • CVE-2020-35313Apr 20, 2021
    risk 0.04cvss epss 0.45

    A server-side request forgery (SSRF) vulnerability in the addCustomThemePluginRepository function in index.php in WonderCMS 3.1.3 allows remote attackers to execute arbitrary code via a crafted URL to the theme/plugin installer.

  • CVE-2020-29233Dec 30, 2020
    risk 0.03cvss epss 0.01

    WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Page description component. This vulnerability can allow an attacker to inject the XSS payload in the Page description and each time any user will visits the website, the XSS triggers and attacker can steal the…

  • CVE-2020-29469Dec 30, 2020
    risk 0.03cvss epss 0.01

    WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Menu component. This vulnerability can allow an attacker to inject the XSS payload in the Setting - Menu and each time any user will visits the website directory, the XSS triggers and attacker can steal the cookie…

  • CVE-2025-57055Sep 17, 2025
    risk 0.00cvss epss 0.00

    WonderCMS 3.5.0 is vulnerable to Server-Side Request Forgery (SSRF) in the custom module installation functionality. An authenticated administrator can supply a malicious URL via the pluginThemeUrl POST parameter. The server fetches the provided URL using curl_exec() without…

  • CVE-2025-3123Apr 2, 2025
    risk 0.00cvss epss 0.01

    A vulnerability, which was classified as critical, has been found in WonderCMS 3.5.0. Affected by this issue is the function installUpdateModuleAction of the component Theme Installation/Plugin Installation. The manipulation leads to unrestricted upload. The attack may be…

  • CVE-2024-41305Jul 30, 2024
    risk 0.00cvss epss 0.00

    A Server-Side Request Forgery (SSRF) in the Plugins Page of WonderCMS v3.4.3 allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the pluginThemeUrl parameter.

  • CVE-2024-41304Jul 30, 2024
    risk 0.00cvss epss 0.00

    An arbitrary file upload vulnerability in the uploadFileAction() function of WonderCMS v3.4.3 allows attackers to execute arbitrary code via a crafted SVG file.

Page 1 of 2