CVE-2025-3123

Name of the Vulnerable Software and Affected Versions WonderCMS version 3.5.0

Description A critical vulnerability has been found in WonderCMS, affecting the function installUpdateModuleAction of the component Theme Installation/Plugin Installation. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor explains that the philosophy has always been for the admin to bear responsibility for not installing themes/plugins from untrusted sources.

Recommendations As a temporary workaround, consider disabling the installUpdateModuleAction function until a patch is available. Restrict access to the Theme Installation/Plugin Installation component to minimize the risk of exploitation. Avoid installing themes or plugins from untrusted sources. At the moment, there is no information about a newer version that contains a fix for this vulnerability.