[Self attack vulnerabilities] possibilities list

The bugs below work only if an admin is logged and is tricked into pasting JavaScript code, uploading SVG's or installs themes/plugins from malicious actors.

WonderCMS comes with some security features and some responsibilities.

1. A logged-in user (admin) can execute JavaScript anywhere on their website.

• This has always been a WonderCMS feature.
• I personally don't consider this needs fixing, since a logged-in admin can do much more damage than just XSS attacks (including website defacement, malware distribution, cryptominers, ...)

2. A logged in user can upload a SVG (containing code other than an image, such as JavaScript).

• SVG's are generally not just images, they can also include code such as JavaScript, XML, these are awesome features of SVG's.
• Sanitizing SVG's would partially kill their functionality.
• If there are enough wishes for this action, the SVG uploading functionality can be completely removed from WonderCMS.
• If we already allow JavaScript to be executed at any part of the CMS, would removing the SVG functionality make any difference?

3. Installing themes/plugins from malicious actors

• Installing a theme/plugin from unverified sources can lead into your website being hijacked.
• Please be careful and either verify or don't install themes/plugins from sources you don't trust.

4. Host header attack.

• This will not be considered a vulnerability until we see a live exploit of this (not local).
• Using the Burp Suite Tool to create/show a local attack is not enough, since there needs to be a way to exploit a WonderCMS installation (and not just locally attack one-self).

How to prevent self-attack vulnerabilities

• Avoid pasting random JavaScript code.
• Avoid uploading random SVG's.
• Install themes and plugins only from sources you trust.

---

The list above is subject to change. All discussions are welcome. Reporting the above issues/bugs/vulnerabilities will not include you in the WonderCMS reward system.