Share
## https://sploitus.com/exploit?id=9C8B4691-CEA3-5547-834D-8AAB845D790F
# CVE โ€” WonderCMS 3.6.0 Stored XSS via Search Widget

**Severity:** High (CVSS 3.1: 7.4)  
**Affected version:** WonderCMS โ‰ค 3.6.0  
**GitHub Advisory:** GHSA-5x7j-xjpx-pmm5  
**Reporter:** Mateus Gama (theblessone.sec@gmail.com)  
**Disclosure:** Coordinated โ€” 2026-05-25  

---

## Vulnerability

WonderCMS 3.6.0 renders the search query parameter directly via `innerHTML` without sanitisation. Any authenticated user with access to site settings can store a script tag that executes in the context of every visitor.

**Sink** โ€” `search.js`:
```javascript
searchResultsDiv.innerHTML = data;  // unsanitised HTML from server
```

**Source** โ€” server passes the raw `?search=` query value into the rendered HTML response.

---

## Impact

- Session hijacking (steal admin cookies โ†’ full site takeover)
- Defacement
- Credential phishing
- Malware distribution to every visitor

---

## Proof of Concept

### Prerequisites

- A WonderCMS 3.6.0 instance accessible in a browser
- Any account that can save site settings (default: admin)

### Steps

1. Log in to the WonderCMS admin panel
2. Navigate to **Settings โ†’ Custom HTML** (or any editable text block)
3. Inject the payload below into the search widget's configuration
4. Save โ€” the XSS fires for every user who loads a page with the search widget

### Automated PoC (requires valid session cookie)

```bash
bash poc/exploit.sh http://target.com PHPSESSID=your_session_cookie
```

See `poc/exploit.sh` for details.

---

## Payloads

| File | Description |
|------|-------------|
| `payloads/basic_alert.html` | Sanity check โ€” `alert(1)` |
| `payloads/cookie_steal.html` | Exfiltrates `document.cookie` to attacker server |
| `payloads/keylogger.html` | Logs keystrokes |

---

## Remediation

Sanitise all user-supplied values before assigning to `innerHTML`. Use `textContent` for plain text or a DOM-purify library for HTML:

```javascript
// Replace:
searchResultsDiv.innerHTML = data;
// With:
searchResultsDiv.textContent = data;
// Or for HTML: import DOMPurify; searchResultsDiv.innerHTML = DOMPurify.sanitize(data);
```

---

## Timeline

| Date | Event |
|------|-------|
| 2026-05-25 | Vulnerability discovered |
| 2026-05-25 | GitHub Security Advisory created (GHSA-5x7j-xjpx-pmm5) |
| TBD | CVE ID assigned |