Wonder CMS 2014: www.wondercms.com By Ross Marks: www.rossmarks.co.uk 1. Password Disclosure can directly view /files/password to view unsalted MD5 password recommend using .htaccess (on apache) to disallow access to folder 2. Full path disclosure change password to an array then try to log in i.e. "Warning: md5() expects parameter 1 to be string, array given in /full/path/to/index.php on line 135 3. XSS edit the page can just put or use a broken image also works for all settings values (navigation, title, description, keywords & copyright) 4. LFI edit the theme set value="" and change "