CVE-2020-35314
published 2021-04-20CVE-2020-35314: A remote code execution vulnerability in the installUpdateThemePluginAction function in index.php in WonderCMS 3.1.3, allows remote attackers to upload a…
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
26.91%
97.8th percentile
A remote code execution vulnerability in the installUpdateThemePluginAction function in index.php in WonderCMS 3.1.3, allows remote attackers to upload a custom plugin which can contain arbitrary code and obtain a webshell via the theme/plugin installer.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wondercms | wondercms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP GET requests to WonderCMS index.php containing the query parameter 'installThemePlugin' combined with 'type=plugins' and 'token=', which is the exact request pattern used to trigger the malicious plugin installation. ↗
- →Detect creation or HTTP access of 'evil.php' under the 'plugins/wonderplugin/' or 'plugins/wonderplugin-master/' directories on the web server, which is the dropped webshell. ↗
- →Alert on outbound connections from the web server to github.com fetching 'wonderplugin/archive/master.zip', indicating the exploit payload ZIP is being pulled during exploitation. ↗
- →The webshell responds with the string '1337' in its body when successfully deployed; monitor HTTP responses from PHP files in the plugins directory containing this string as a beacon check. ↗
- →The exploit posts commands via a 'cmd' POST parameter to the dropped evil.php webshell; detect POST requests to any PHP file under the plugins directory containing a 'cmd' parameter. ↗
- →The vulnerability is in the 'installUpdateThemePluginAction' function in index.php; monitor application logs or WAF for invocations of this function with attacker-controlled ZIP URLs. ↗
- ·Exploitation requires a valid authenticated session on the CMS; unauthenticated attackers cannot directly trigger this RCE without first obtaining credentials. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://github.com/robiso/wondercmshttps://packetstormsecurity.com/files/160311/WonderCMS-3.1.3-Remote-Code-Execution.htmlhttps://zetc0de.github.io/post/authenticated-rce-ssrf-wondercms/https://zetc0de.github.io/post/authenticated-rce-ssrf-wondercms/#authenticated-remote-code-executionhttps://github.com/robiso/wondercmshttps://packetstormsecurity.com/files/160311/WonderCMS-3.1.3-Remote-Code-Execution.htmlhttps://zetc0de.github.io/post/authenticated-rce-ssrf-wondercms/https://zetc0de.github.io/post/authenticated-rce-ssrf-wondercms/#authenticated-remote-code-execution
2021-04-20
Published