CVE-2025-3123 Information

Description

A vulnerability which was classified as critical has been found in WonderCMS 3.5.0. Affected by this issue is the function installUpdateModuleAction of the component Theme Installation/Plugin Installation. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor explains that [t]he philosophy has always been admin […] bear responsibility to not install themes/plugins from untrusted sources.\

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Reference

https://github.com/WonderCMS/wondercms/issues/330 https://github.com/WonderCMS/wondercms/issues/330#issue-2940381112 https://github.com/WonderCMS/wondercms/issues/330#issuecomment-2745347770 https://vuldb.com/?ctiid.303014 https://vuldb.com/?id.303014 https://vuldb.com/?submit.525101

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction Required

HIGH

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

LOW

Base Severity

4.7