Arbitrary file upload and RCE in Wonder CMS - CVE-2017-14521
Recently in one of my pentest research, I found a CMS " WonderCMS" hosted in github.
Curious to explore its functionalities, I downloaded and set it up in my local system.
After fiddling with the source code, I found that it did not have any kind of file upload security mechanism and allowed the user to upload any file type! After reporting it to them, I did not receive any security relevant response, hence decided to publish a blog on this.