A vulnerability, which was classified as critical, has been found in WonderCMS 3.5.0. Affected by this issue is the function installUpdateModuleAction of the component Theme Installation/Plugin Installation. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor explains, that "[t]he philosophy has always been, admin [...] bear responsibility to not install themes/plugins from untrusted sources."
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
| Link | Tags |
|---|---|
| https://vuldb.com/?id.303014 | technical description third party advisory vdb entry |
| https://vuldb.com/?ctiid.303014 | signature vdb entry permissions required |
| https://vuldb.com/?submit.525101 | third party advisory vdb entry |
| https://github.com/WonderCMS/wondercms/issues/330 | vendor advisory issue tracking exploit |
| https://github.com/WonderCMS/wondercms/issues/330#issuecomment-2745347770 | vendor advisory issue tracking exploit |
| https://github.com/WonderCMS/wondercms/issues/330#issue-2940381112 | issue tracking exploit vendor advisory |