WonderCMS Remote Code Execution Vulnerability in Theme and Plugin Installation

A remote code execution vulnerability has been identified in WonderCMS version 3.5.0. The issue arises in the 'installUpdateModuleAction' function, which manages the installation and updating of themes and plugins. This vulnerability allows for unrestricted file uploads, as the function downloads ZIP files from user-specified URLs and extracts them on the server without proper validation. Consequently, attackers can upload malicious ZIP files containing PHP web shells, which are then executed on the server. This vulnerability requires administrative privileges to exploit.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary code on the server, potentially leading to a complete compromise of the affected system.

Reproduction

To reproduce this vulnerability, log into WonderCMS as an administrator. Navigate to the 'Settings' -> 'Themes' section. In the 'Add Custom Theme' area, enter the URL of a malicious module configuration file that points to a ZIP file containing a PHP web shell. After adding the theme, it can be installed, which will deploy the web shell on the server.