What's new in 2.7.0
March 31st, 2019

No special actions are required for this update

Simply use the one click update from your admin panel. Make sure to always backup before updating.

IMPORTANT: future version (3.0.0) will require manual updating

Due to some awesome restructuring done by Nicolas Carpi, WonderCMS 3.0.0 will not be backwards compatible and will require manual updating. Instructions will appear here once version 3.0.0 is ready to be released.


Thanks to Nicolas Carpi, an awesome developer that joined in on helping with WonderCMS. He's responsible for most of the code refactoring that is going to be included in the next milestone version (3.0.0) and all of the incoming improvements.

Thanks to Ashe Safe for responsibly reporting a possibility of a self-attack, which that bypassed an existing patch. More info on GitHub.

Previous updates

2.6.0 - January 1st, 2019

  • Added popup/functionality for naming a page before creating it.
  • Minor text and settings panel visual changes.
  • Code optimisation/cleanup.
  • Updated autosize library to latest version.
  • Increased randomness of backup file names.

No special actions are required for this update

Simply use the one click update from your admin panel. Make sure to always backup before updating.

2.5.2 - July 18th, 2018

  • Fixed session fixation vulnerability.
  • Fixed mixed content warning for NGINX servers.
  • Improved main URL function and added multiple string case checks for the HTTPS protocol and port forwarding.

No actions are required for this update

Simply use the one click updater from your admin panel.


Thanks to Anusya Angamuthu for reporting the session fixation vulnerability.

Thanks to Senthil Nathan for reporting the mixed content issue, providing a fix and testing.

2.5.0 and 2.5.1 patch - May 2nd, 2018

  • New feature (Apache only): better security mode and HTTPS redirect ON/OFF switch in Settings->Security. Read more about enabling better security mode.
  • New feature: view version number when updating. It's now easier to see to what WonderCMS version you're updating to next.
  • Minor text and style changes to the update notification and settings panel.
  • Upgraded logic when checking for directory traversal attacks. Other minor code fixes.
  • Moved location of backup action in index.php, this removes the "Delete backup files" notification bug when a backup file is removed.
  • Moved location of delete page action index.php, this remove the "Page deleted" notification when a corrupted database is recovered.
  • Changed most REQUEST['token'] checks to POST types.
  • Fixed bug in better security function.
  • Improved function for password changing.
  • Added keyword and description for 404 pages (for fresh WonderCMS installs only).
  • Improved function for installing themes and plugins.
  • Fixed bug with function for deleting files and folders.

8 theme updates available: check themes page

2016 default theme, Dark blue, Gold, Green, Light blue, Pink, Purple, Red


Thanks to Vekien for the upgraded code logic for checking directory traversal attacks.

2.4.1 - February 21st, 2018 (and 23rd - minor 2.4.2 patch)

  • Fixed bug with "double update" notification (2.4.2 patch). The double notification bug will be displayed one last time after updating.
  • Fixed vulnerability - logged in admin could delete files from any directory.
  • Added SRI hashes to external JavaScript and CSS files: jquery.min.js, bootstrap.min.js, autosize.min.js, taboverride.min.js, jquery.taboverride.min.js, bootstrap.min.css).
  • Removed unnecessary session unset.
  • Minor text changes.

Default theme update available

Copy the link below and paste it in Settings->Themes & plugins, select "Theme" and click update.

2.4.0 - January 1st, 2018 (Happy New Year!)

  • Removed old version update support compatibility.
  • A better definition of public/private functions.
  • Corrected code logic in theme/plugin installer with an array check.
  • Added hash_equals checks to prevent CSRF timing attacks.
  • Added link to WonderCMS homepage in the Settings panel.
  • Minor text changes to the Settings panel and error messages.
  • Minor Settings panel design changes.
  • Prettified code fixes.
  • CSS fix, removed bottom border on the settings panel links. The border was visible only when designing a new theme/template from scratch.
  • Functions re-sorted alphabetically for easier overview.
  • Added 404 page editing support.
  • Added whitelist for allowed file type uploads.
  • Restructured function for deleting files, themes and plugins.
  • Updated taboverride and autosize to latest version.
  • Updated Summernote plugin to latest version and added tables to the Summernote editor toolbar.

2 plugins need manual updating (copy/paste link)

  • NOTE 1: If you don't have these plugins, there is no need to update them.
  • NOTE 2: Update WonderCMS before updating plugins.

1. Update link for Summernote editor plugin

Copy the link below and paste it in your Settings->Themes & plugins, select "Plugin" and click update.


2. Update for Additonal contents plugin

Copy the link below and paste it in your Settings->Themes & plugins, select "Plugin" and click update.



Note 1: Thanks to Vekien for the corrected code logic in the theme/plugin installer, helping implement hash_equals and restructuring the function for deleting files/themes/plugins.

Note 2: Thanks to ayeshrajans for spotting the hash_equals improvement.

2.3.2 - October 11th, 2017

  • two additional ISSET checks to prevent PHP notices
  • changed HTTP 1.0 headers to HTTP 1.1
  • updated links to themes and plugins in the Settings panel (new links are: https://wondercms.com/themes and https://wondercms.com/plugins)
  • removed converted case for page titles
  • core code in WonderCMS prettified - providing a better level of readability
  • minor text changes

No actions are required for this update


Note 1: Thanks to Samrat Das for sparking a debate about file type limits in the file uploader. Share your opinion on the file uploader file type limits.

Note 2: We are dropping old version support in January 2018.

2.3.0 + 2.3.1 patch - August 23rd, 2017

  • one click backup
  • re-designed settings panel
  • theme installer + updater + remover
  • plugin installer + updater + remover
  • file uploader + remover
  • tab/indentation support
  • additional security token checks
  • added "Visit page" link next to each page in menu
  • added success message when deleting a page
  • logout link moved to top right corner
  • fixed title case when creating new pages
  • files autosize.js, taboverride.min.js and taboverride.jquery.min.js are now loaded after the admin is logged in, resulting in faster website loading
  • minor code logic fixes
  • minor text fixes
  • added two additional checks if the request for token is set (2.3.1 patch)
  • double space removal / converted to tabs (2.3.1 patch)

Special thanks to Janez Čas (HttpMaster author), Davide Vago, Robbie Antenesse and Andreas Lenhardt.

1 plugin needs to be updated from your settings panel

  • Summernote WYSIWYG editor - Simply COPY/PASTE the below link into your Settings->Themes&plugins, select plugin and click update.

2 changes in theme.php // only for custom themes

  1. In theme.php: remove autosize.js (https://cdn.jsdelivr.net/jquery.autosize/3.0.17/autosize.min.js)
  2. In style.css: replace .navbar-right li a:hover, .navbar-right li.active a with ul.nav.navbar-nav.navbar-right li a:hover, ul.nav.navbar-nav.navbar-right li.active a

2.2.1 - June 23rd, 2017

  • Custom port support. WonderCMS now works on non-standard HTTP ports - thanks to Grzegorz Kowalski.
  • JavaScript hook fix - thanks to Grzegorz Kowalski.
  • Show admin CSS and JS only when logged. Great for even faster website load times.
  • Minor text and tab fixes.

1 plugin needs to be updated manually

  1. Additional contents plugin - DOWNLOAD the updated plugin, unzip it, and overwrite your existing addition_contents plugin folder with the new files.

2.2.0 - June 18th, 2017

  1. Added additional tokens to prevent/fix CSRF vulnerabilities thanks to Luka Mrovlje from Mobinia inter for the fix. Special thanks to Ehsan Hosseini from Zerox Security Lab (ZeroxSecLab Twitter) for reporting this and confirming the issue is resolved.
  2. Added CSS style (text align left) the settings panel. This is to prevent the admin settings panel text alignment from being overwritten by a custom theme.
  3. New created pages are now visible in the menu by default.
  4. Added extra help on the example page for new WonderCMS installations.

Plugins that need to be updated manually

  1. Summernote (WYSIWYG editor and file uploader). DOWNLOAD the new plugin, unzip it, and overwrite your existing summernote plugin folder with the new files.

2.1.0 - May 30th, 2017

  1. Easy page adding and hiding | thanks to Pascal Jordin.
  2. Easy page re-ordering | thanks to Pascal Jordin.
  3. Cleaner URLs | thanks to Pascal Jordin.
  4. Improved URL function | thanks to Luka Mrovlje.
  5. Minor code improvements.
  6. Additional thanks to turboblack (Dannis Danylenko) for all the testing.
  7. NOTE: All pages will be visible in your menu after updating. You can hide pages easily from your settings panel. This is necessary due to the new menu functionality.

2.0.6 - April 28th, 2017

  1. Fixed bug $_SERVER[REQUEST_URI] to $_SERVER['REQUEST_URI'] because of errors reported on some sites. Thanks to turboblack (Dannis Danylenko) for reporting this.

2.0.5 - April 28th, 2017

  1. Fixed display login URL in settings panel thanks to Robbie Antenesse.

2.0.4 - April 27th, 2017

  1. Update system changed from using file_get_contents to cURL - thanks to Robbie Antenesse for providing us with a more stable update system.
  2. Fixed absolute URLs to relative, this bug happened on some servers/environments and made WonderCMS URLs unusable - another thanks to Robbie Antenesse for this awesome fix.

2.0.3 - April 20th, 2017

  1. Fixed CSRF vulnerability with low severity - thanks to Ashutosh Singh for reporting this. Fixed in less than 24 hours from the time of the report.
  2. Changed/fixed span wrappers to div wrappers around editable areas - thanks to scsmash3r.
  3. Fixed bug which returned a 404 header to the logged in user.

New themes available, check them out in the WonderCMS demo.
They're all downloadable for free in the WonderCMS themes repository.

2.0.2 - March 31st, 2017

  1. Additional hook added: page - this makes plugin developers lives easier.

New plugin available - easily create new editable areas

- Test this plugin in our WonderCMS demo. The green pluses which enable you to create new editable areas are visible after you log in.

- Download additional contents plugin and upload it to your plugins folder to activate it.

2.0.1 - March 28th, 2017

  1. Fixed bug in function name that caused errors for some users.
  2. Added default font size for settings panel.
  3. Removed unnecessary spaces and semicolons in settings CSS.

2.0.0 - March 18th, 2017

  1. This is the first non-beta release in 9 years.
  2. Major code clean up.
  3. New default theme.
  4. Improved settings panel.
  5. We now update the default theme (default theme.php, style.css) and .htaccess, we used to update only index.php.
  6. database.js versioning, which makes it really easy to define what user gets what update.
  7. "Powered by WonderCMS" link removed from footer. Wohoo freedom.
  8. Developer friendlier.
  9. Plugins are easier to develop.

Important theme.php changes - 8 tags need changing for version 2.0.0

- Easy instructions for replacement can be found here.

Important plugin changes for version 2.0.0

- The following plugins need to be updated:

- The following plugins are unavailable until developers update their plugins: