CVE-2025-57055 — MEDIUM (6.5)

Vulnerability Description

WonderCMS 3.5.0 is vulnerable to Server-Side Request Forgery (SSRF) in the custom module installation functionality. An authenticated administrator can supply a malicious URL via the pluginThemeUrl POST parameter. The server fetches the provided URL using curl_exec() without sufficient validation, allowing the attacker to force internal or external HTTP requests.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Wondercms	Wondercms	3.5.0

Related Weaknesses (CWE)

CWE-918

References

https://github.com/thawphone/CVE-2025-57055ExploitMitigationThird Party Advisory
https://github.com/thawphone/CVE-2025-57055ExploitMitigationThird Party Advisory

FAQ

What is CVE-2025-57055?

CVE-2025-57055 is a vulnerability with a CVSS score of 6.5 (MEDIUM). WonderCMS 3.5.0 is vulnerable to Server-Side Request Forgery (SSRF) in the custom module installation functionality. An authenticated administrator can supply a malicious URL via the pluginThemeUrl PO...

How severe is CVE-2025-57055?

CVE-2025-57055 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-57055?

Check the references section above for vendor advisories and patch information. Affected products include: Wondercms Wondercms.