Wonder CMS 2.3.1 File Upload

Wonder CMS version 2.3.1 suffers from an unrestricted file upload vulnerability.

MD5 | 8d2b27458a39cb4be078a61a6a808cf9

Affected Code:

public static function _uploadFile() { +
- if ( ! wCMS::$loggedIn && ! isset($_FILES['uploadFile']) && ! isset($_REQUEST['token'])) return; + private static function uploadFileAction()
- if (isset($_REQUEST['token']) && $_REQUEST['token'] == wCMS::_generateToken() && isset($_FILES['uploadFile'])) {

Proof of Concept
Steps to Reproduce:

1. Login with a valid credentials
2. Select Files option from the Settings menu of Content
3. Upload a file with php extension containing the below code:





4. Click on Upload
5. Once the file is uploaded Click on the uploaded file and add ?cmd= to
the URL followed by a system command such as whoami,time,date etc.

Recommended Patch:

Create a whitelist of allowed filetypes.

The patch that addresses this bug is available here:


At line 742

Related Posts