彙總 wondercms 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
已披露問題常與 SSRF、路徑處理缺陷與CSRF 相關,可能在 生產負載與軟體部署 場景中帶來 檔案覆寫與異常行為 等暴露風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2024-58305 | WonderCMS 4.3.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious JavaScript through the module installation endpoint. Attackers can craft a specially designed XSS payload to install a reverse shell module and execute remote commands by tricking an authenticated administrator into accessing a malicious link. | [email protected] | 8.6 | 0.37% | 2025-12-12 | 2026-06-17 |
| CVE-2025-57055 | WonderCMS 3.5.0 is vulnerable to Server-Side Request Forgery (SSRF) in the custom module installation functionality. An authenticated administrator can supply a malicious URL via the pluginThemeUrl POST parameter. The server fetches the provided URL using curl_exec() without sufficient validation, allowing the attacker to force internal or external HTTP requests. | [email protected] | 6.5 | 0.38% | 2025-09-17 | 2026-06-17 |
| CVE-2025-3123 | A vulnerability, which was classified as critical, has been found in WonderCMS 3.5.0. Affected by this issue is the function installUpdateModuleAction of the component Theme Installation/Plugin Installation. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor explains, that "[t]he philosophy has always been, admin [...] | [email protected] | 5.1 | 0.48% | 2025-04-02 | 2026-06-17 |
| CVE-2024-41305 | A Server-Side Request Forgery (SSRF) in the Plugins Page of WonderCMS v3.4.3 allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the pluginThemeUrl parameter. | [email protected] | 4.7 | 0.18% | 2024-07-30 | 2026-06-17 |
| CVE-2024-41304 | An arbitrary file upload vulnerability in the uploadFileAction() function of WonderCMS v3.4.3 allows attackers to execute arbitrary code via a crafted SVG file. | [email protected] | 5.4 | 0.36% | 2024-07-30 | 2026-06-17 |
| CVE-2024-32746 | A cross-site scripting (XSS) vulnerability in the Settings section of WonderCMS v3.4.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the MENU parameter under the Menu module. | [email protected] | 4.6 | 0.45% | 2024-04-17 | 2026-06-17 |
| CVE-2024-32745 | A cross-site scripting (XSS) vulnerability in the Settings section of WonderCMS v3.4.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the PAGE DESCRIPTION parameter under the CURRENT PAGE module. | [email protected] | 5.9 | 0.32% | 2024-04-17 | 2026-06-17 |
| CVE-2024-32744 | A cross-site scripting (XSS) vulnerability in the Settings section of WonderCMS v3.4.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the PAGE KEYWORDS parameter under the CURRENT PAGE module. | [email protected] | 4.6 | 0.40% | 2024-04-17 | 2026-06-17 |
| CVE-2024-32743 | A cross-site scripting (XSS) vulnerability in the Settings section of WonderCMS v3.4.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the SITE LANGUAGE CONFIG parameter under the Security module. | [email protected] | 5.5 | 0.40% | 2024-04-17 | 2026-06-17 |
| CVE-2024-32341 | Multiple cross-site scripting (XSS) vulnerabilities in the Home page of WonderCMS v3.4.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into any of the parameters. | [email protected] | 5.4 | 0.39% | 2024-04-17 | 2026-06-17 |
| CVE-2024-32340 | A cross-site scripting (XSS) vulnerability in the Settings section of WonderCMS v3.4.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the WEBSITE TITLE parameter under the Menu module. | [email protected] | 9.6 | 0.71% | 2024-04-17 | 2026-06-17 |
| CVE-2024-32339 | Multiple cross-site scripting (XSS) vulnerabilities in the HOW TO page of WonderCMS v3.4.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into any of the parameters. | [email protected] | 6.1 | 0.40% | 2024-04-17 | 2026-06-17 |
| CVE-2024-32338 | A cross-site scripting (XSS) vulnerability in the Settings section of WonderCMS v3.4.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the PAGE TITLE parameter under the Current Page module. | [email protected] | 5.4 | 0.40% | 2024-04-17 | 2026-06-17 |
| CVE-2024-32337 | A cross-site scripting (XSS) vulnerability in the Settings section of WonderCMS v3.4.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the ADMIN LOGIN URL parameter under the Security module. | [email protected] | 6.1 | 0.43% | 2024-04-17 | 2026-06-17 |
| CVE-2024-27563 | A Server-Side Request Forgery (SSRF) in the getFileFromRepo function of WonderCMS v3.1.3 allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the pluginThemeUrl parameter. | [email protected] | 5.3 | 0.42% | 2024-03-05 | 2026-06-17 |
| CVE-2024-27561 | A Server-Side Request Forgery (SSRF) in the installUpdateThemePluginAction function of WonderCMS v3.1.3 allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the installThemePlugin parameter. | [email protected] | 8.1 | 0.58% | 2024-03-05 | 2026-06-17 |
| CVE-2023-41425 | Cross Site Scripting vulnerability in Wonder CMS v.3.2.0 thru v.3.4.2 allows a remote attacker to execute arbitrary code via a crafted script uploaded to the installModule component. | [email protected] | 6.1 | 54.31% | 2023-11-07 | 2026-07-08 |
| CVE-2022-43332 | A cross-site scripting (XSS) vulnerability in Wondercms v3.3.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Site title field of the Configuration Panel. | [email protected] | 6.1 | 0.56% | 2022-11-17 | 2026-06-17 |
| CVE-2020-35314 | A remote code execution vulnerability in the installUpdateThemePluginAction function in index.php in WonderCMS 3.1.3, allows remote attackers to upload a custom plugin which can contain arbitrary code and obtain a webshell via the theme/plugin installer. | [email protected] | 9.8 | 26.91% | 2021-04-20 | 2026-06-16 |
| CVE-2020-35313 | A server-side request forgery (SSRF) vulnerability in the addCustomThemePluginRepository function in index.php in WonderCMS 3.1.3 allows remote attackers to execute arbitrary code via a crafted URL to the theme/plugin installer. | [email protected] | 9.8 | 45.22% | 2021-04-20 | 2026-06-16 |