Wondercms
by WonderCMS
Source repositories
CVEs (8)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2014-8705 | Cri | 0.64 | 9.8 | 0.01 | Mar 17, 2017 | PHP remote file inclusion vulnerability in editInplace.php in Wonder CMS 2014 allows remote attackers to execute arbitrary PHP code via a URL in the hook parameter. | |
| CVE-2014-8704 | Cri | 0.64 | 9.8 | 0.01 | Mar 17, 2017 | Directory traversal vulnerability in index.php in Wonder CMS 2014 allows remote attackers to include and execute arbitrary local files via a crafted theme. | |
| CVE-2024-58305 | Hig | 0.57 | 8.8 | 0.00 | Dec 12, 2025 | WonderCMS 4.3.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious JavaScript through the module installation endpoint. Attackers can craft a specially designed XSS payload to install a reverse shell module and execute remote commands by tricking an authenticated administrator into accessing a malicious link. | |
| CVE-2017-7951 | Hig | 0.57 | 8.8 | 0.00 | Apr 21, 2017 | WonderCMS before 2.0.3 has CSRF because of lack of a token in an unspecified context. | |
| CVE-2014-8701 | Hig | 0.49 | 7.5 | 0.00 | Mar 17, 2017 | Wonder CMS 2014 allows remote attackers to obtain sensitive information by viewing /files/password, which reveals the unsalted MD5 hashed password. | |
| CVE-2014-8703 | Med | 0.40 | 6.1 | 0.00 | Mar 17, 2017 | Cross-site scripting (XSS) vulnerability in Wonder CMS 2014 allows remote attackers to inject arbitrary web script or HTML. | |
| CVE-2014-8702 | Med | 0.34 | 5.3 | 0.00 | Mar 17, 2017 | Wonder CMS 2014 allows remote attackers to obtain sensitive information by logging into the application with an array for the password, which reveals the installation path in an error message. | |
| CVE-2011-5317 | 0.00 | — | 0.00 | Jan 1, 2015 | Cross-site scripting (XSS) vulnerability in editText.php in WonderCMS before 0.4 allows remote attackers to inject arbitrary web script or HTML via the content parameter. |