Skip to content

WonderCMS

v3.6.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 5mo Productivity & Wikis
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

blog cms content-management content-management-system fast file
+14 more
flat flat-file flat-file-cms flatfilecms landing-page-builder lightweight no-database php simple simple-website simple-website-builder small website-builder wondercms

Affected surfaces

auth deps

Summary

AI summary

Hardened module installs/updates, fixed internal search bugs, and added a database‑backed plugin enable/disable feature with conflict prevention.

Full changelog

Features and fixes

Security + stability update to WonderCMS core (index.php) with no intended breaking changes. It hardens module installs/updates, fixes a few long-standing bugs, improves PHP 8.4+ compatibility, and adds an ultra-simple plugin enable/disable mechanism (no file deletion needed) with conflict-prevention for editor/translation plugins.

Changes

  • Safer theme/plugin installs & updates
    • Stronger sanitization for module name/type
    • Basic ZIP entry validation to prevent zip-slip (bad ZIPs writing outside the module folder)
    • Thanks to Ramon Dunker (his GitHub and LinkedIn)
  • Login hooks now work
    • Plugins load before loginAction() so login_success / login_failed listeners can run reliably
  • Search fixes
    • Fixed broken internal search helper methods
    • Improved Simple Blog post search compatibility
  • More accurate update checks
    • Replaced string compares with version_compare() for modules + core update checks
  • PHP compatibility / deprecation cleanup
    • Explicit nullable params for PHP 8.4+
    • Fixed str_ireplace(..., null, ...) deprecation triggered during plugin deletion on newer PHP
  • Plugin enable/disable (new)
    • New config.disabledPlugins list in the DB
    • loadPlugins() skips disabled plugins but still lists them as installed
    • Settings → Plugins now shows Enable/Disable for installed plugins
    • Editor/translation conflict prevention: enabling/installing one editor/translation plugin auto-disables other enabled plugins from the same group (with confirmation prompt)

Backwards compatibility

  • No plugin API changes (existing plugins do not need changes).
  • config.disabledPlugins is optional; if missing, behavior is unchanged.
  • Note: if a user disables plugins on this version and later downgrades to an older WonderCMS, the older core will ignore disabledPlugins and those plugins will load again (expected).

How to update

  • Log into your WonderCMS website and create a backup of your website through WonderCMS -> Security.
  • Click "Update".
    • If update isn't visible, open Settings -> Themes and click "Check for updates".

Installation

  • Unzip and upload the files wherever you want WonderCMS installed and visit that URL.
  • SHA-256 signature: 14985f23f6a0766d251b48cda54579a1188ea56226c340059efd6c552ade9382

Security Fixes

  • Prevents zip‑slip during theme/plugin installation by adding basic ZIP entry validation
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track WonderCMS

Get notified when new releases ship.

Sign up free

About WonderCMS

WonderCMS is the smallest flat file CMS since 2008.

All releases →

Related context

Related tools

Beta — feedback welcome: [email protected]