vendor:
WonderCMS
by:
prodigiousMind
8.1
CVSS
CRITICAL
Cross-site scripting (XSS) leading to Remote Code Execution (RCE)
79
CWE
Product Name: WonderCMS
Affected Version From: 4.3.2002
Affected Version To: 4.3.2002
Patch Exists: YES
Related CWE: CVE-2021-41777
CPE: a:wondercms:wondercms:4.3.2
Platforms Tested:
2021
WonderCMS 4.3.2 XSS to RCE
The exploit allows an attacker to craft a link that, when visited by an admin, triggers a cross-site scripting (XSS) vulnerability on WonderCMS version 4.3.2. This XSS vulnerability is then leveraged to remotely execute malicious code on the server, enabling the attacker to take control of the system. This exploit script generates a JavaScript file that, when loaded by the admin, sets up a reverse shell to the attacker's specified IP address and port.
Mitigation:
To mitigate this vulnerability, it is recommended to sanitize and validate user inputs, encode output data, and implement Content Security Policy (CSP) headers. Additionally, keeping the software up to date with the latest patches and security updates is crucial.