Key Information Vulnerability Overview CVE ID: CVE-2025-57055 Vulnerability Type: Authentication Bypass Remote Code Execution (RCE) Affected Software: WonderCMS v3.5.0 Vulnerability Mechanism Root Cause: The application processes remote theme/module installations via JSON descriptors. If the JSON file references a ZIP archive, its contents are extracted into a web-accessible directory (e.g., ). If the ZIP contains PHP files, those files become accessible via the web and may be executed. Risk Factors: - Lack of validation or sanitization of ZIP contents. - No restrictions on file types extracted from remote sources. - Web accessibility of theme/plugin directories. Acceptance Criteria for Remote Module/Theme Descriptors WonderCMS will accept and attempt to install remote modules/themes if the submitted JSON descriptor conforms to the expected format. Descriptors passing format checks (pointing to a ZIP archive) will be fetched, and the archive contents will be extracted into a web-accessible directory (e.g., ) without further file type validation. Proof of Concept (PoC) Warning: Do not run on production systems. Use only in authorized testing environments. Steps: 1. Retrieve the admin password from the publicly exposed homepage of a default WonderCMS installation. 2. Log in to the admin panel. 3. Navigate to the theme installation section. 4. Provide a URL pointing to a malicious JSON descriptor (e.g., hosted on an attacker-controlled server). 5. Initiate installation. The server will: - Fetch the descriptor. - Download the specified ZIP archive. 6. Install the downloaded malicious theme. 7. Access the extracted PHP shell (e.g., ) to execute arbitrary commands. Vendor Response The vulnerability was reported to WonderCMS maintainers in July 2025. The maintainers acknowledged the report but considered this behavior acceptable for administrators. Mitigation Guidance Restrict remote installation functionality to trusted sources (e.g., GitHub only). Validate and sanitize ZIP contents before extraction. Strengthen authentication: - Hide the admin password after installation. - Enforce username/password login. - Enable multi-factor authentication (if available). Configure the server to block access to executable files within or directories.