CVE-2023-41425

MEDIUM

WonderCMS Remote Code Execution

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 18 public exploits for CVE-2023-41425. PoCs published by Milad karimi, prodigiousMind, Tea-On, including Metasploit module exploits/multi/http/wondercms_rce.

AI-analyzed exploit summary This exploit leverages an XSS vulnerability in WonderCMS 3.4.2 to achieve remote code execution by tricking a victim into executing a malicious JavaScript payload that installs a PHP web shell. The exploit sets up an HTTP server to host the malicious files and provides a reverse shell command.

Description

Cross Site Scripting vulnerability in Wonder CMS v.3.2.0 thru v.3.4.2 allows a remote attacker to execute arbitrary code via a crafted script uploaded to the installModule component.

Exploits (18)

exploitdb WORKING POC
by Milad karimi · pythonremotephp
https://www.exploit-db.com/exploits/52271

This exploit leverages an XSS vulnerability in WonderCMS 3.4.2 to achieve remote code execution by tricking a victim into executing a malicious JavaScript payload that installs a PHP web shell. The exploit sets up an HTTP server to host the malicious files and provides a reverse shell command.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WonderCMS 3.4.2
No auth needed
Prerequisites: Victim interaction to trigger XSS · Network access to target · HTTP server to host malicious files
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 25 stars
by prodigiousMind · poc
https://github.com/prodigiousMind/CVE-2023-41425

This repository contains a functional exploit for CVE-2023-41425, which leverages a Cross-Site Scripting (XSS) vulnerability in Wonder CMS to achieve Remote Code Execution (RCE). The exploit generates a malicious JavaScript file and a crafted link that, when clicked by an admin, uploads a reverse shell and establishes a connection to the attacker's machine.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Wonder CMS v3.2.0 through v3.4.2
No auth needed
Prerequisites: Admin user interaction (clicking a malicious link) · Network connectivity to the attacker's machine
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 7 stars
by Tea-On · poc
https://github.com/Tea-On/CVE-2023-41425-RCE-WonderCMS-4.3.2

This repository contains a functional Python exploit for CVE-2023-41425, targeting WonderCMS 4.3.2. The exploit automates the creation of a malicious ZIP theme module and a JavaScript-based XSS payload to hijack an admin session and deploy a PHP reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WonderCMS 4.3.2
No auth needed
Prerequisites: Target WonderCMS login URL · Attacker's IP address and listening port · PHP reverse shell script
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 3 stars
by duck-sec · poc
https://github.com/duck-sec/CVE-2023-41425

This repository contains a functional exploit for CVE-2023-41425, which targets a Cross-Site Scripting (XSS) vulnerability in Wonder CMS versions 3.2.0 to 3.4.2. The exploit chains XSS to achieve Remote Code Execution (RCE) by serving a malicious JavaScript payload locally and tricking an admin into executing it.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Wonder CMS 3.2.0 to 3.4.2
Auth required
Prerequisites: Admin access to the target Wonder CMS instance · Network access to the target · Local HTTP server to host malicious payloads
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by thefizzyfish · poc
https://github.com/thefizzyfish/CVE-2023-41425-wonderCMS_RCE

This repository contains a functional exploit for CVE-2023-41425, leveraging an XSS vulnerability in Wonder CMS to achieve remote code execution by uploading a malicious ZIP file and triggering a reverse shell. The exploit requires admin access or social engineering to execute the XSS payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wonder CMS v3.2.0 through v3.4.2
Auth required
Prerequisites: Admin access or ability to trick an admin into clicking a malicious link · Network connectivity to the target and attacker-controlled server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Diegomjx · poc
https://github.com/Diegomjx/CVE-2023-41425-WonderCMS-Authenticated-RCE

This repository contains a functional exploit for CVE-2023-41425, targeting WonderCMS versions 3.2.0 to 3.4.2. The exploit leverages an authenticated XSS vulnerability to achieve remote code execution by uploading a reverse shell payload via the theme/plugin upload feature.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WonderCMS v3.2.0 - v3.4.2
Auth required
Prerequisites: Target URL with WonderCMS installed · Attacker's IP and port for reverse shell · Admin user interaction (clicking a malicious link)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by xpltive · poc
https://github.com/xpltive/CVE-2023-41425

This repository contains a functional exploit for CVE-2023-41425, a reflected XSS vulnerability in Wonder CMS that can be chained to achieve remote code execution via the `installModule` component. The exploit automates the creation of a malicious JavaScript file and a PHP web shell, then serves them via an HTTP server to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wonder CMS v3.2.0 - v3.4.2
No auth needed
Prerequisites: Target URL with vulnerable Wonder CMS instance · Attacker-controlled HTTP server to host malicious files
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Raffli-Dev · poc
https://github.com/Raffli-Dev/CVE-2023-41425

This repository contains a functional exploit for CVE-2023-41425, demonstrating an XSS to RCE vulnerability in Wonder CMS versions 3.2.0 to 3.4.2. The exploit leverages a stored XSS to install a malicious theme, achieving remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wonder CMS 3.2.0 <= 3.4.2
No auth needed
Prerequisites: Victim must visit a crafted URL · Attacker must host malicious files on a web server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec NO CODE 1 stars
by charlesgargasson · poc
https://github.com/charlesgargasson/CVE-2023-41425
gitlab WORKING POC
by Eggzy · poc
https://gitlab.com/Eggzy/CVE-2023-41425

This repository contains a functional exploit for CVE-2023-41425, an XSS vulnerability in WonderCMS versions 3.2.0 through 3.4.2. The exploit automates the process of generating a malicious JavaScript payload, uploading a reverse shell via the `installModule` component, and executing it to gain remote code execution.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: WonderCMS 3.2.0 to 3.4.2
No auth needed
Prerequisites: Target URL · Attacker IP · Listening port · Optional remote host for reverse shell
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WORKING POC
by 0xDTC · poc
https://github.com/0xDTC/WonderCMS-4.3.2-XSS-to-RCE-Exploits-CVE-2023-41425

This repository contains functional exploit scripts for CVE-2023-41425, leveraging an XSS vulnerability in WonderCMS 4.3.2 to achieve RCE via a reverse shell. The scripts automate the process of payload delivery and execution, requiring admin interaction to trigger the XSS.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WonderCMS 4.3.2
Auth required
Prerequisites: Bash shell · netcat (nc) · Python3 · WonderCMS 4.3.2 · Administrator interaction · revshells.com
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by 0x0d3ad · poc
https://github.com/0x0d3ad/CVE-2023-41425

This repository contains a functional exploit for CVE-2023-41425, which chains an XSS vulnerability to achieve RCE in Wonder CMS versions 3.2.0 to 3.4.2. The exploit generates a malicious ZIP file and XSS payload to trigger remote code execution via module installation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wonder CMS 3.2.0 <= 3.4.2
No auth needed
Prerequisites: Target must be running vulnerable Wonder CMS version · Attacker must be able to host malicious files on a reachable web server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by h3athen · poc
https://github.com/h3athen/CVE-2023-41425

This exploit leverages an XSS vulnerability in a web application to deliver a reverse shell payload. It generates a malicious JavaScript file that, when executed, fetches and installs a reverse shell module from an attacker-controlled server.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Unknown (likely a web application with a login page vulnerable to XSS)
No auth needed
Prerequisites: Victim must visit a crafted URL containing the XSS payload · Attacker must host a malicious ZIP file and a web server to serve the payload
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP
by SpycioKon · poc
https://github.com/SpycioKon/CVE-2023-41425

The repository contains a reference to a technical analysis of CVE-2023-41425, linking to a detailed blog post. However, no actual exploit code or technical details are present in the README itself.

Classification
Writeup 80%
Attack Type
Other
Complexity
Unknown
Reliability
Unknown
Target: unknown
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by Twappz · poc
https://github.com/Twappz/CVE-2023-41425

This repository contains a functional exploit for CVE-2023-41425, which leverages an XSS vulnerability in WonderCMS versions 3.2.0 to 3.4.2 to achieve remote code execution (RCE) by uploading a malicious module. The exploit automates the process of generating a malicious JavaScript payload and hosting it for delivery to an admin user.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WonderCMS v3.2.0 to v3.4.2
No auth needed
Prerequisites: Admin user interaction to trigger the XSS payload · Network access to the target WonderCMS instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by msutovsky-r7, Milad, Karimi · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wondercms_rce.rb

This Metasploit module exploits CVE-2023-41425, an authenticated file upload vulnerability in WonderCMS versions 3.2.0 to 3.4.2. It uploads a malicious ZIP file containing a PHP payload to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WonderCMS 3.2.0 to 3.4.2
Auth required
Prerequisites: Valid credentials for WonderCMS · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 6.1
EPSS 0.5431
EPSS Percentile 98.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
wondercms/wondercms 3.2.0 - 3.4.2
Published Nov 07, 2023
Tracked Since Feb 18, 2026