Wonder CMS 2014: www.wondercms.com
By Ross Marks: www.rossmarks.co.uk
1. Password Disclosure
can directly view /files/password to view unsalted MD5 password
recommend using .htaccess (on apache) to disallow access to folder
2. Full path disclosure
change password to an array then try to log in i.e.
"Warning: md5() expects parameter 1 to be string, array given in /full/path/to/index.php on line 135
3. XSS
edit the page can just put or use a broken image
also works for all settings values (navigation, title, description, keywords & copyright)
4. LFI
edit the theme set value="" and change "