CVE-2023-41425
published 2023-11-07CVE-2023-41425: Cross Site Scripting vulnerability in Wonder CMS v.3.2.0 thru v.3.4.2 allows a remote attacker to execute arbitrary code via a crafted script uploaded to the…
PriorityP356medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
54.31%
98.9th percentile
Cross Site Scripting vulnerability in Wonder CMS v.3.2.0 thru v.3.4.2 allows a remote attacker to execute arbitrary code via a crafted script uploaded to the installModule component.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wondercms | wondercms | 3.2.0 – 3.4.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect GET requests to the installModule endpoint with an external URL parameter, which is the XSS-to-RCE delivery mechanism used in this exploit. ↗
- →Detect XSS payload injection targeting the WonderCMS login page via the page parameter, used to deliver the malicious JS to an authenticated admin. ↗
- →Alert on JavaScript executing XMLHttpRequest with withCredentials=true to the installModule endpoint, indicative of the XSS payload pivoting to RCE. ↗
- →Flag ZIP file uploads or remote ZIP fetches via installModule where directoryName=pwned and type=themes, as these are hardcoded attacker-controlled values in the exploit. ↗
- →This is an authenticated vulnerability; monitor for unusual admin-session activity followed by installModule requests fetching external resources. ↗
- ·The attacker-controlled IP (xip) and port (xport) for the malicious.zip HTTP server are runtime arguments and will vary per attack; no fixed IOC can be derived for these values. ↗
- ·The exploit requires an authenticated admin session to trigger the installModule endpoint; the XSS vector is used to hijack an active admin session, so detections should account for the two-stage delivery (XSS then RCE). ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WonderCMS 3.4.2 - Remote Code Execution (RCE)
exploitdb·2025-04-22·CVSS 6.1
CVE-2023-41425 [MEDIUM] WonderCMS 3.4.2 - Remote Code Execution (RCE)
WonderCMS 3.4.2 - Remote Code Execution (RCE)
---
# Exploit Title: WonderCMS 3.4.2 - Remote Code Execution (RCE)
# Date: 2025-04-16
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: [email protected]
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# MiRROR-H: https://mirror-h.org/search/hacker/49626/
# CVE: CVE-2023-41425
import requests
import argparse
from argparse import RawTextHelpFormatter
import os
import subprocess
import zipfile
from termcolor import colored
def main():
parser = argparse.ArgumentParser(description="Exploit Wonder CMS v3.4.2
XSS to RCE", formatter_class=RawTextHelpFormatter)
parser.add_argument("--url", required=True, help="Target URL of
loginURL (Example: http://sea.htb/loginURL)")
parser.add_argument("--xip", required=True, help="IP for HTTP web
Metasploit
WonderCMS Remote Code Execution
metasploit·CVSS 6.1
CVE-2023-41425 [MEDIUM] WonderCMS Remote Code Execution
WonderCMS Remote Code Execution
This module exploits CVE-2023-41425, an authenticated file upload vulnerability affecting WonderCMS between 3.2.0 and 3.4.2.
2023-11-07
Published