Key Information Vulnerability Overview Vulnerability Type: Remote Code Execution (RCE) Affected Version: WonderCMS 3.5.0 Vulnerable Location: function, responsible for handling theme and plugin installation/update functionality. Vulnerability Details Attackers can execute arbitrary code on the target server by providing a malicious ZIP file. The function downloads a ZIP file from a user-supplied URL and extracts it to a server directory, without properly validating the contents of the ZIP file. Exploitation Steps 1. Prepare Malicious ZIP File: - Contains a PHP web shell ( ) and required module configuration file ( ). 2. Deploy Malicious ZIP File: - Place the ZIP file at a publicly accessible URL. 3. Create Malicious Module Configuration: - Create file containing malicious theme information. 4. Add Custom Module: - Log in to WonderCMS as an administrator, navigate to Settings → Themes, and enter the URL of the malicious module configuration file. 5. Install Malicious Theme: - In the themes list, locate “Malicious Theme” and click the “Install” button. 6. Access Web Shell: - After installation, the web shell will be deployed at , allowing command execution via this file. Vulnerability Verification Install WonderCMS 3.5.0 locally and follow the above steps to verify if command execution is successful. Mitigation Recommendations 1. Implement strict file type validation. 2. Perform security scanning on ZIP file contents. 3. Restrict the types and permissions of extracted files. 4. Use a secure temporary directory for extraction and validate before moving to the final location. 5. Implement Content Security Policy (CSP) to restrict execution. Impact Scope WonderCMS 3.5.0 and possibly earlier versions. All WonderCMS instances using default installation.