CVE-2025-57055

Published: Sep 17, 2025Modified: Sep 23, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Exploitability: 1.2 / Impact: 5.2

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

WonderCMS 3.5.0 is vulnerable to Server-Side Request Forgery (SSRF) in the custom module installation functionality. An authenticated administrator can supply a malicious URL via the pluginThemeUrl POST parameter. The server fetches the provided URL using curl_exec() without sufficient validation, allowing the attacker to force internal or external HTTP requests.

Affected (1)

Products: Wondercms: Wondercms

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Wondercms Wondercms	Version 3.5.0

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (2)

https://github.com/thawphone/CVE-2025-57055

Source: cve@mitre.org

ExploitMitigationThird Party Advisory

https://github.com/thawphone/CVE-2025-57055

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitMitigationThird Party Advisory

Timeline

No history available yet.