CVE-2024-32745 is a cross-site scripting (XSS) vulnerability identified in WonderCMS version 3.4.3, a lightweight content management system. The flaw exists in the Settings section, specifically in the PAGE DESCRIPTION parameter within the CURRENT PAGE module. This parameter fails to properly sanitize or encode user-supplied input, allowing attackers to inject crafted payloads containing arbitrary JavaScript or HTML. When a victim accesses the affected page, the malicious script executes in their browser context, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vulnerability does not require authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 5.9 (medium severity), reflecting local network attack vector, low attack complexity, no privileges required, no user interaction, and partial impact on confidentiality, integrity, and availability. No patches or known exploits are currently reported, but the vulnerability aligns with CWE-79 (Improper Neutralization of Input During Web Page Generation).

The impact of CVE-2024-32745 includes unauthorized script execution in the context of the affected WonderCMS website, which can compromise user sessions, steal sensitive information, or manipulate site content. This can lead to loss of user trust, reputational damage, and potential data breaches. Since the vulnerability affects the PAGE DESCRIPTION parameter, attackers may deface websites or inject phishing content. The medium severity score indicates moderate risk, but exploitation ease without authentication or user interaction increases concern. Organizations relying on WonderCMS for public-facing websites or internal portals may face service disruption or data integrity issues. The absence of known exploits reduces immediate risk, but proactive mitigation is essential to prevent future attacks.

To mitigate CVE-2024-32745, organizations should first check for official patches or updates from WonderCMS and apply them promptly once available. In the absence of patches, implement strict input validation and sanitization on the PAGE DESCRIPTION parameter to reject or neutralize malicious scripts. Employ output encoding techniques to ensure that injected content is rendered as text, not executable code. Use Content Security Policy (CSP) headers to restrict script execution sources and reduce XSS impact. Regularly audit and monitor web application logs for suspicious activity related to the CURRENT PAGE module. Educate administrators on secure configuration practices and limit access to the Settings section to trusted personnel. Additionally, consider deploying web application firewalls (WAFs) with rules targeting XSS payloads to provide an additional defense layer.