CVE-2021-27200

CRITICAL

WoWonder 3.0.4 - Code Injection

Title source: llm

Description

In WoWonder 3.0.4, remote attackers can take over any account due to the weak cryptographic algorithm in recover.php. The code parameter is easily predicted from the time of day.

Exploits (1)

exploitdb WORKING POC

by securityforeveryone.com · pythonwebappsphp

https://www.exploit-db.com/exploits/49989

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory] https://securityforeveryone.com/blog/wowonder-0-day-vulnerability-cve-2021-27200

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/49989

[Product] https://www.wowonder.com

Scores

CVSS v3 9.8

EPSS 0.0305

EPSS Percentile 86.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-330

Status published

Products (1)

wowonder/wowonder 3.0.4

Published Jun 11, 2021

Tracked Since Feb 18, 2026