CVE-2025-65094

High CVSS: 8.7

WBCE CMS is a content management system. Prior to version 1.6.4, a low-privileged user in WBCE CMS can escalate their privileges to the Administrators group by manipulating the groups[] parameter in the /admin/users/save.php request. The UI restricts users to assigning only their existing group, but server-side validation is missing, allowing attackers to overwrite their group membership and obtain full administrative access. This results in a complete compromise of the CMS. This issue has been patched in version 1.6.4.

Vendor

Wbce

Product

Wbce Cms

CWE

CWE-266

Yayın Tarihi

2025-11-19 19:15:50

Güncelleme

2025-12-15 14:10:48

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-266 Wbce Cms HIGH Wbce 2025

Referanslar

https://github.com/WBCE/WBCE_CMS/commit/96046178f4c80cf16f7c224054dec7fdadddda7e https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-hmmw-4ccm-fx44

Benzer Kayıtlar

High

CVE-2022-50936

WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload mal…

Medium

CVE-2023-53909

WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malici…

Medium

CVE-2023-53910

WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malici…

High

CVE-2023-53901

WBCE CMS 1.6.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML and CSS to c…

High

CVE-2025-34506

WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrator…

High

CVE-2024-58283

WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload mali…