## https://sploitus.com/exploit?id=9C8B4691-CEA3-5547-834D-8AAB845D790F
# CVE โ WonderCMS 3.6.0 Stored XSS via Search Widget
**Severity:** High (CVSS 3.1: 7.4)
**Affected version:** WonderCMS โค 3.6.0
**GitHub Advisory:** GHSA-5x7j-xjpx-pmm5
**Reporter:** Mateus Gama (theblessone.sec@gmail.com)
**Disclosure:** Coordinated โ 2026-05-25
---
## Vulnerability
WonderCMS 3.6.0 renders the search query parameter directly via `innerHTML` without sanitisation. Any authenticated user with access to site settings can store a script tag that executes in the context of every visitor.
**Sink** โ `search.js`:
```javascript
searchResultsDiv.innerHTML = data; // unsanitised HTML from server
```
**Source** โ server passes the raw `?search=` query value into the rendered HTML response.
---
## Impact
- Session hijacking (steal admin cookies โ full site takeover)
- Defacement
- Credential phishing
- Malware distribution to every visitor
---
## Proof of Concept
### Prerequisites
- A WonderCMS 3.6.0 instance accessible in a browser
- Any account that can save site settings (default: admin)
### Steps
1. Log in to the WonderCMS admin panel
2. Navigate to **Settings โ Custom HTML** (or any editable text block)
3. Inject the payload below into the search widget's configuration
4. Save โ the XSS fires for every user who loads a page with the search widget
### Automated PoC (requires valid session cookie)
```bash
bash poc/exploit.sh http://target.com PHPSESSID=your_session_cookie
```
See `poc/exploit.sh` for details.
---
## Payloads
| File | Description |
|------|-------------|
| `payloads/basic_alert.html` | Sanity check โ `alert(1)` |
| `payloads/cookie_steal.html` | Exfiltrates `document.cookie` to attacker server |
| `payloads/keylogger.html` | Logs keystrokes |
---
## Remediation
Sanitise all user-supplied values before assigning to `innerHTML`. Use `textContent` for plain text or a DOM-purify library for HTML:
```javascript
// Replace:
searchResultsDiv.innerHTML = data;
// With:
searchResultsDiv.textContent = data;
// Or for HTML: import DOMPurify; searchResultsDiv.innerHTML = DOMPurify.sanitize(data);
```
---
## Timeline
| Date | Event |
|------|-------|
| 2026-05-25 | Vulnerability discovered |
| 2026-05-25 | GitHub Security Advisory created (GHSA-5x7j-xjpx-pmm5) |
| TBD | CVE ID assigned |