CVE-2024-32340
📋 TL;DR
This cross-site scripting (XSS) vulnerability in WonderCMS v3.4.3 allows attackers to inject malicious scripts into the website title parameter, which then executes in users' browsers when they visit the affected settings page. Attackers can steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users. All WonderCMS v3.4.3 installations with the vulnerable Menu module are affected.
💻 Affected Systems
- WonderCMS
📦 What is this software?
Wondercms by Wondercms
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover through session hijacking, credential theft, defacement, and installation of backdoors or malware on visitors' systems.
Likely Case
Session hijacking leading to unauthorized administrative access, website defacement, and data exfiltration from logged-in users.
If Mitigated
Limited impact if input validation and output encoding are properly implemented, restricting script execution to non-privileged contexts.
🎯 Exploit Status
Exploitation requires administrative access to the Settings section. The public PoC demonstrates straightforward injection via the WEBSITE TITLE parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.4.4 or later
Vendor Advisory: https://github.com/robiso/wondercms/releases
Restart Required: No
Instructions:
1. Backup your current WonderCMS installation. 2. Download the latest version from the official GitHub repository. 3. Replace all files except the 'data' directory. 4. Clear browser cache and verify the fix.
🔧 Temporary Workarounds
Input Sanitization
allManually add input validation and output encoding to the Menu module's website title parameter.
Edit the Menu module PHP file to apply htmlspecialchars() or similar sanitization to the WEBSITE TITLE input before storage and display.
🧯 If You Can't Patch
- Restrict administrative access to trusted IP addresses only using web server configuration or firewall rules.
- Implement Content Security Policy (CSP) headers to restrict script execution from untrusted sources.
🔍 How to Verify
Check if Vulnerable:
Attempt to inject a simple XSS payload like <script>alert('test')</script> into the WEBSITE TITLE field in the Menu module settings. If the script executes when viewing the settings page, the system is vulnerable.Check Version:
Check the version.txt file in the WonderCMS root directory or view the footer in the admin panel.Verify Fix Applied:
After patching, repeat the XSS payload injection test. The script should be displayed as plain text or properly encoded, not executed.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to the WEBSITE TITLE parameter in admin logs
- Multiple failed login attempts followed by successful admin access
Network Indicators:
- Unexpected outbound connections from the CMS server to unknown domains
- Suspicious JavaScript payloads in HTTP requests to the settings endpoint
SIEM Query:
source="web_server_logs" AND (uri_path="/admin/settings" OR uri_path LIKE "%/menu%") AND (request_body LIKE "%<script>%" OR request_body LIKE "%javascript:%")