CVE-2025-66204

Medium CVSS: 6.3

WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying `X-Forwarded-For` on each request, gaining unlimited password guessing attempts, effectively bypassing all brute-force protection. The application fully trusts the `X-Forwarded-For` header without validating it or restricting its usage. This issue is fixed in version 1.6.5.

Vendor

Wbce

Product

Wbce Cms

CWE

CWE-307

Yayın Tarihi

2025-12-09 00:15:49

Güncelleme

2025-12-11 16:02:38

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-307 Wbce Cms MEDIUM Wbce 2025

Referanslar

https://github.com/WBCE/WBCE_CMS/commit/3765baddf27f31bbbea9c0228c452268621b25e5 https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.5 https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-f676-f375-m7mw https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-f676-f375-m7mw

Benzer Kayıtlar

High

CVE-2022-50936

WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload mal…

Medium

CVE-2023-53909

WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malici…

Medium

CVE-2023-53910

WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malici…

High

CVE-2023-53901

WBCE CMS 1.6.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML and CSS to c…

High

CVE-2025-34506

WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrator…

High

CVE-2024-58283

WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload mali…