cbcvebase.
CVE-2020-35314
published 2021-04-20

CVE-2020-35314: A remote code execution vulnerability in the installUpdateThemePluginAction function in index.php in WonderCMS 3.1.3, allows remote attackers to upload a…

PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
26.91%
97.8th percentile
A remote code execution vulnerability in the installUpdateThemePluginAction function in index.php in WonderCMS 3.1.3, allows remote attackers to upload a custom plugin which can contain arbitrary code and obtain a webshell via the theme/plugin installer.

Affected

1 ranges
VendorProductVersion rangeFixed in
wondercmswondercms

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/zetc0de/wonderplugin/archive/master.zip
pathplugins/wonderplugin/evil.php
pathplugins/wonderplugin-master/evil.php
filenameevil.php
url?installThemePlugin=<payload>&type=plugins&token=<token>
pathindex.php
  • Monitor HTTP GET requests to WonderCMS index.php containing the query parameter 'installThemePlugin' combined with 'type=plugins' and 'token=', which is the exact request pattern used to trigger the malicious plugin installation.
  • Detect creation or HTTP access of 'evil.php' under the 'plugins/wonderplugin/' or 'plugins/wonderplugin-master/' directories on the web server, which is the dropped webshell.
  • Alert on outbound connections from the web server to github.com fetching 'wonderplugin/archive/master.zip', indicating the exploit payload ZIP is being pulled during exploitation.
  • The webshell responds with the string '1337' in its body when successfully deployed; monitor HTTP responses from PHP files in the plugins directory containing this string as a beacon check.
  • The exploit posts commands via a 'cmd' POST parameter to the dropped evil.php webshell; detect POST requests to any PHP file under the plugins directory containing a 'cmd' parameter.
  • The vulnerability is in the 'installUpdateThemePluginAction' function in index.php; monitor application logs or WAF for invocations of this function with attacker-controlled ZIP URLs.
  • ·Exploitation requires a valid authenticated session on the CMS; unauthenticated attackers cannot directly trigger this RCE without first obtaining credentials.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.