CVE-2025-65950

Critical CVSS: 9.4

WBCE CMS is a content management system. In versions 1.6.4 and below, the user management module allows a low-privileged authenticated user with permissions to modify users to execute arbitrary SQL queries. This can be escalated to a full database compromise, data exfiltration, effectively bypassing all security controls. The vulnerability exists in the admin/users/save.php script, which handles updates to user profiles. The script improperly processes the groups[] parameter sent from the user edit form. This issue is fixed in version 1.6.5.

Vendor

Wbce

Product

Wbce Cms

CWE

CWE-89

Yayın Tarihi

2025-12-10 21:16:09

Güncelleme

2025-12-16 15:10:47

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-89 Wbce Cms CRITICAL Wbce 2025

Referanslar

https://github.com/WBCE/WBCE_CMS/commit/96046178f4c80cf16f7c224054dec7fdadddda7e https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.5 https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-934v-xhx9-j2f3

Benzer Kayıtlar

High

CVE-2022-50936

WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload mal…

Medium

CVE-2023-53909

WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malici…

Medium

CVE-2023-53910

WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malici…

High

CVE-2023-53901

WBCE CMS 1.6.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML and CSS to c…

High

CVE-2025-34506

WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrator…

High

CVE-2024-58283

WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload mali…