CVE-2025-67504

Critical CVSS: 9.1

WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword() to create passwords using PHP's rand(). rand() is not cryptographically secure, which allows password sequences to be predicted or brute-forced. This can lead to user account compromise or privilege escalation if these passwords are used for new accounts or password resets. The vulnerability is fixed in version 1.6.5.

Vendor

Wbce

Product

Wbce Cms

CWE

CWE-331

Yayın Tarihi

2025-12-09 16:18:24

Güncelleme

2025-12-11 15:52:28

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-331 Wbce Cms CRITICAL Wbce 2025

Referanslar

https://cwe.mitre.org/data/definitions/338.html https://github.com/WBCE/WBCE_CMS/commit/5d59fe021a5c6e469b1bf192b72ca652e54278f6 https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.5 https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-76gj-pmvx-jcc6 https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-76gj-pmvx-jcc6

Benzer Kayıtlar

High

CVE-2022-50936

WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload mal…

Medium

CVE-2023-53909

WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malici…

Medium

CVE-2023-53910

WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malici…

High

CVE-2023-53901

WBCE CMS 1.6.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML and CSS to c…

High

CVE-2025-34506

WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrator…

High

CVE-2024-58283

WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload mali…