Login Sign Up

CVE-2020-35313

9.8 CRITICAL
Remote Code Execution SSRF

📋 TL;DR

This SSRF vulnerability in WonderCMS 3.1.3 allows remote attackers to execute arbitrary code by exploiting the theme/plugin installer functionality. Attackers can craft malicious URLs that trigger server-side requests to internal systems, potentially leading to remote code execution. All WonderCMS 3.1.3 installations with the vulnerable code are affected.

💻 Affected Systems

Products:
  • WonderCMS
Versions: 3.1.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires access to the admin panel or ability to trigger the vulnerable function.

📦 What is this software?

Wondercms by Wondercms

View all CVEs affecting Wondercms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution, data exfiltration, and lateral movement to internal networks.

🟠

Likely Case

Server takeover leading to website defacement, data theft, and installation of backdoors or malware.

🟢

If Mitigated

Limited impact if proper network segmentation and input validation are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authentication to the admin panel. Multiple public PoCs exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.4 and later

Vendor Advisory: https://github.com/robiso/wondercms

Restart Required: No

Instructions:

1. Backup your WonderCMS installation. 2. Download WonderCMS 3.1.4 or later from the official repository. 3. Replace the vulnerable index.php file with the patched version. 4. Verify the fix by checking the version in the admin panel.

🔧 Temporary Workarounds

Disable theme/plugin installer

all

Remove or restrict access to the vulnerable addCustomThemePluginRepository function.

# Edit index.php and comment out or remove the vulnerable function

Restrict admin panel access

all

Limit admin panel access to specific IP addresses using .htaccess or web server configuration.

# In .htaccess: Order deny,allow
Deny from all
Allow from 192.168.1.100

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate the WonderCMS server from internal systems.
  • Deploy a web application firewall (WAF) with SSRF protection rules.

🔍 How to Verify

Check if Vulnerable:

Check if your WonderCMS version is 3.1.3 by logging into the admin panel and viewing the version in the footer.

Check Version:

# Check the version in the admin panel footer or in index.php

Verify Fix Applied:

After patching, verify the version shows 3.1.4 or later in the admin panel footer.

📡 Detection & Monitoring

Log Indicators:

  • Unusual requests to index.php with URL parameters
  • Requests to internal IP addresses from the WonderCMS server
  • Unexpected theme/plugin installation attempts

Network Indicators:

  • Outbound connections from WonderCMS server to internal services
  • Unusual port scanning activity from the web server

SIEM Query:

source="web_server_logs" AND (uri="/index.php" AND (param="addCustomThemePluginRepository" OR param CONTAINS "http://" OR param CONTAINS "://"))

📊 Metadata

CVE ID: CVE-2020-35313
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-918
Published: April 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35313, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)