The Site title field is the part of a page title that shows up in the browser tab title and in the address bar. The Site title is displayed by default in the browser, so it is critical that it be used only for the intended purpose. When users submit a form, the browser may forward the request to another site and also may display the Site title in the browser tab. In Wondercms v3.3.4, the Site title field is not properly sanitized, allowing attackers to inject arbitrary web script or HTML via a crafted payload. In some situations, this can lead to XSS attacks, session hijacking, or information disclosure. Note: This issue did not affect versions of Wondercms prior to v3.3.4. However, this issue has been patched in v3.3.4. Users of v3.3.4 or later are not at risk. End users are encouraged to upgrade their installations as soon as possible. - CVE-2018-12301
Summary
A vulnerability issue has been identified in the Site title field in the Wndercms v3.3.4 and earlier versions. This issue has been patched in v3.3.4 and later, but users of any version prior to v3.3.4 are not at risk.
How to check if you are vulnerable to Site Title Field Injection?
Go to Settings > Security. If you are vulnerable, you will see a "Site Title Field Injection" alert.
Timeline
Published on: 11/17/2022 23:15:00 UTC
Last modified on: 11/18/2022 18:28:00 UTC