CVE-2022-43332

MEDIUM

WonderCMS 3.3.4 - Stored Cross-Site Scripting via Site Title Field

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-43332. PoCs published by maikroservice.

AI-analyzed exploit summary This repository contains a writeup describing a stored XSS vulnerability in WonderCMS v3.3.4, where an attacker can inject malicious scripts into the 'Site title' field to steal user cookies due to the lack of HttpOnly flag.

Description

A cross-site scripting (XSS) vulnerability in Wondercms v3.3.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Site title field of the Configuration Panel.

Exploits (1)

nomisec WRITEUP 2 stars

by maikroservice · poc

https://github.com/maikroservice/CVE-2022-43332

View Code ZIP pw:eip

This repository contains a writeup describing a stored XSS vulnerability in WonderCMS v3.3.4, where an attacker can inject malicious scripts into the 'Site title' field to steal user cookies due to the lack of HttpOnly flag.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: WonderCMS v3.3.4

Auth required

Prerequisites: Access to the WonderCMS admin panel · Valid credentials for authentication

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory

https://github.com/maikroservice/CVE-2022-43332

Scores

CVSS v3 6.1

EPSS 0.0056

EPSS Percentile 42.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

wondercms/wondercms 3.3.4

Published Nov 17, 2022

Tracked Since Feb 18, 2026