CVE-2024-32744 identifies a cross-site scripting (XSS) vulnerability in WonderCMS version 3.4.3, specifically within the Settings section's PAGE KEYWORDS parameter under the CURRENT PAGE module. This vulnerability arises because the application fails to properly sanitize or encode user-supplied input before rendering it in the web interface, allowing attackers to inject arbitrary web scripts or HTML. The attack vector requires network access (remote) and low attack complexity, but does require the attacker to have some level of privileges (PR:L) and user interaction (UI:R), such as tricking an authenticated user into clicking a crafted link or loading a malicious page. The vulnerability impacts confidentiality and integrity by enabling script execution in the context of the victim's browser, potentially leading to session hijacking, credential theft, or unauthorized actions within the CMS. The vulnerability does not affect availability. The CVSS v3.1 base score is 4.6, reflecting medium severity. No patches or exploits are currently publicly available, but the risk remains for targeted attacks. The weakness is classified under CWE-79, which covers improper neutralization of input leading to XSS.

The primary impact of this vulnerability is on the confidentiality and integrity of data managed through WonderCMS installations. Successful exploitation can allow attackers to execute malicious scripts in the context of authenticated users, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions within the CMS. This can lead to website defacement, data leakage, or further compromise of the hosting environment. Since WonderCMS is a lightweight content management system used by small to medium websites, organizations relying on it for public-facing or internal sites may face reputational damage and operational disruption. The lack of availability impact reduces the risk of denial-of-service conditions, but the potential for targeted phishing or social engineering attacks exploiting this vulnerability remains significant.

To mitigate CVE-2024-32744, organizations should implement strict input validation and output encoding for the PAGE KEYWORDS parameter in the CURRENT PAGE module. Specifically, ensure that all user-supplied input is sanitized to remove or encode HTML special characters before rendering. Applying Content Security Policy (CSP) headers can help reduce the impact of injected scripts by restricting script execution sources. Administrators should restrict access to the Settings section to trusted users only and monitor for suspicious activity. Since no official patch is currently available, consider temporarily disabling or restricting the PAGE KEYWORDS functionality if feasible. Regularly update WonderCMS to future versions where this vulnerability is addressed. Additionally, educate users to avoid clicking on suspicious links and implement multi-factor authentication to reduce the risk of session hijacking.