Vulnerabilities > Wondercms

DATE CVE VULNERABILITY TITLE RISK
2021-04-20 CVE-2020-35314 OS Command Injection vulnerability in Wondercms 3.1.3
A remote code execution vulnerability in the installUpdateThemePluginAction function in index.php in WonderCMS 3.1.3, allows remote attackers to upload a custom plugin which can contain arbitrary code and obtain a webshell via the theme/plugin installer.
network
low complexity
wondercms CWE-78
7.5
7.5
2021-04-20 CVE-2020-35313 Server-Side Request Forgery (SSRF) vulnerability in Wondercms 3.1.3
A server-side request forgery (SSRF) vulnerability in the addCustomThemePluginRepository function in index.php in WonderCMS 3.1.3 allows remote attackers to execute arbitrary code via a crafted URL to the theme/plugin installer.
network
low complexity
wondercms CWE-918
7.5
7.5
2020-12-30 CVE-2020-29469 Cross-site Scripting vulnerability in Wondercms 3.1.3
WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Menu component.
network
wondercms CWE-79
3.5
3.5
2020-12-30 CVE-2020-29233 Cross-site Scripting vulnerability in Wondercms 3.1.3
WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Page description component.
network
wondercms CWE-79
3.5
3.5
2020-12-24 CVE-2020-29247 Cross-site Scripting vulnerability in Wondercms 3.1.3
WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Admin Panel.
network
wondercms CWE-79
4.3
4.3
2019-09-12 CVE-2019-5956 Path Traversal vulnerability in Wondercms
Directory traversal vulnerability in WonderCMS 2.6.0 and earlier allows remote attackers to delete arbitrary files via unspecified vectors.
network
low complexity
wondercms CWE-22
7.5
7.5
2018-07-18 CVE-2018-14387 Session Fixation vulnerability in Wondercms
An issue was discovered in WonderCMS before 2.5.2.
network
wondercms CWE-384
6.8
6.8
2018-02-27 CVE-2018-7172 Path Traversal vulnerability in Wondercms
In index.php in WonderCMS before 2.4.1, remote attackers can delete arbitrary files via directory traversal.
network
low complexity
wondercms CWE-22
5.5
5.5
2018-02-09 CVE-2018-1000062 Cross-site Scripting vulnerability in Wondercms 2.4.0
WonderCMS version 2.4.0 contains a Stored Cross-Site Scripting on File Upload through SVG vulnerability in uploadFileAction(), 'svg' => 'image/svg+xml' that can result in An attacker can execute arbitrary script on an unsuspecting user's browser.
network
wondercms CWE-79
3.5
3.5
2018-01-26 CVE-2017-14523 Injection vulnerability in Wondercms 2.3.1
** DISPUTED ** WonderCMS 2.3.1 is vulnerable to an HTTP Host header injection attack.
network
low complexity
wondercms CWE-74
5.0
5.0