Wbce Cms

wbce_cms

Vendor: Wbce • 40 CVEs

CVEs (40)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-50936 1Wbce 1Wbce Cms Jan 20, 2026 Jan 13, 2026 8.7 HIGH· v4 8.8 HIGH· v3 N/A· v2 WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious droplets through the admin panel. Authenticated attackers can exploit the droplet upload func...Show more WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious droplets through the admin panel. Authenticated attackers can exploit the droplet upload functionality in the admin tools to create and execute arbitrary PHP code by crafting a specially designed zip file payload.Show less
CVE-2023-53910 1Wbce 1Wbce Cms Dec 27, 2025 Dec 17, 2025 5.1 MEDIUM· v4 5.4 MEDIUM· v3 N/A· v2 WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by inserting script tags into page content through the WYSIWYG editor. Attackers can...Show more WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by inserting script tags into page content through the WYSIWYG editor. Attackers can submit POST requests to /wbce/modules/wysiwyg/save.php with malicious script content in the content parameter to execute JavaScript when users view the affected page.Show less
CVE-2023-53909 1Wbce 1Wbce Cms Dec 27, 2025 Dec 17, 2025 5.1 MEDIUM· v4 5.4 MEDIUM· v3 N/A· v2 WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by uploading crafted SVG files through the media manager. Attackers can upload SVG fi...Show more WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by uploading crafted SVG files through the media manager. Attackers can upload SVG files containing script tags to the /wbce/modules/elfinder/ef/php/connector.wbce.php endpoint and execute JavaScript when victims access the uploaded file.Show less
CVE-2023-53901 1Wbce 1Wbce Cms Dec 30, 2025 Dec 16, 2025 7.1 HIGH· v4 6.1 MEDIUM· v3 N/A· v2 WBCE CMS 1.6.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML and CSS to capture user keystrokes. Attackers can upload a crafted HTML file with CSS-based keylogging technique...Show more WBCE CMS 1.6.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML and CSS to capture user keystrokes. Attackers can upload a crafted HTML file with CSS-based keylogging techniques to intercept password characters through background image requests.Show less
CVE-2025-34506 1Wbce 1Wbce Cms Dec 15, 2025 Dec 11, 2025 8.6 HIGH· v4 8.8 HIGH· v3 N/A· v2 WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially designed ZIP module with embedded PHP...Show more WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially designed ZIP module with embedded PHP reverse shell code to gain remote system access when the module is installed.Show less
CVE-2024-58283 1Wbce 1Wbce Cms Dec 16, 2025 Dec 10, 2025 8.7 HIGH· v4 8.8 HIGH· v3 N/A· v2 WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the Elfinder file manager. Attackers can exploit the file upload functionali...Show more WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the Elfinder file manager. Attackers can exploit the file upload functionality in the elfinder connector to upload a web shell and execute arbitrary system commands through a user-controlled parameter.Show less
CVE-2025-65950 1Wbce 1Wbce Cms Dec 16, 2025 Dec 10, 2025 9.4 CRITICAL· v4 8.8 HIGH· v3 N/A· v2 WBCE CMS is a content management system. In versions 1.6.4 and below, the user management module allows a low-privileged authenticated user with permissions to modify users to execute arbitrary SQL queries. This can be e...Show more WBCE CMS is a content management system. In versions 1.6.4 and below, the user management module allows a low-privileged authenticated user with permissions to modify users to execute arbitrary SQL queries. This can be escalated to a full database compromise, data exfiltration, effectively bypassing all security controls. The vulnerability exists in the admin/users/save.php script, which handles updates to user profiles. The script improperly processes the groups[] parameter sent from the user edit form. This issue is fixed in version 1.6.5.Show less
CVE-2025-67504 1Wbce 1Wbce Cms Dec 11, 2025 Dec 9, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword() to create passwords using PHP's rand(). rand() is not cryptographically secure, which allows password sequences to b...Show more WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword() to create passwords using PHP's rand(). rand() is not cryptographically secure, which allows password sequences to be predicted or brute-forced. This can lead to user account compromise or privilege escalation if these passwords are used for new accounts or password resets. The vulnerability is fixed in version 1.6.5.Show less
CVE-2025-66204 1Wbce 1Wbce Cms Dec 11, 2025 Dec 9, 2025 6.3 MEDIUM· v4 8.1 HIGH· v3 N/A· v2 WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying `X-Forwarded-For` on each request, gaining unlimited passw...Show more WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying `X-Forwarded-For` on each request, gaining unlimited password guessing attempts, effectively bypassing all brute-force protection. The application fully trusts the `X-Forwarded-For` header without validating it or restricting its usage. This issue is fixed in version 1.6.5.Show less
CVE-2025-65094 1Wbce 1Wbce Cms Dec 15, 2025 Nov 19, 2025 8.7 HIGH· v4 8.8 HIGH· v3 N/A· v2 WBCE CMS is a content management system. Prior to version 1.6.4, a low-privileged user in WBCE CMS can escalate their privileges to the Administrators group by manipulating the groups[] parameter in the /admin/users/save...Show more WBCE CMS is a content management system. Prior to version 1.6.4, a low-privileged user in WBCE CMS can escalate their privileges to the Administrators group by manipulating the groups[] parameter in the /admin/users/save.php request. The UI restricts users to assigning only their existing group, but server-side validation is missing, allowing attackers to overwrite their group membership and obtain full administrative access. This results in a complete compromise of the CMS. This issue has been patched in version 1.6.4.Show less
CVE-2023-39796 1Wbce 1Wbce Cms Nov 21, 2024 Nov 10, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 SQL injection vulnerability in the miniform module in WBCE CMS v.1.6.0 allows remote unauthenticated attacker to execute arbitrary code via the DB_RECORD_TABLE parameter.
CVE-2023-46054 1Wbce 1Wbce Cms Nov 21, 2024 Oct 21, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Cross Site Scripting (XSS) vulnerability in WBCE CMS v.1.6.1 and before allows a remote attacker to escalate privileges via a crafted script to the website_footer parameter in the admin/settings/save.php component.
CVE-2023-43871 1Wbce 1Wbce Cms Nov 21, 2024 Sep 28, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 A File upload vulnerability in WBCE v.1.6.1 allows a local attacker to upload a pdf file with hidden Cross Site Scripting (XSS).
CVE-2023-38947 1Wbce 1Wbce Cms Nov 21, 2024 Aug 3, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 An arbitrary file upload vulnerability in the /languages/install.php component of WBCE CMS v1.6.1 allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2023-29855 1Wbce 1Wbce Cms Feb 6, 2025 Apr 18, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 WBCE CMS 1.5.3 has a command execution vulnerability via admin/languages/install.php.
CVE-2022-46020 1Wbce 1Wbce Cms Apr 17, 2025 Dec 20, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.
CVE-2022-45040 1Wbce 1Wbce Cms Apr 25, 2025 Nov 25, 2022 N/A· v4 5.4 MEDIUM· v3 N/A· v2 A cross-site scripting (XSS) vulnerability in /admin/pages/sections_save.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name Section field.
CVE-2022-45039 1Wbce 1Wbce Cms Apr 25, 2025 Nov 25, 2022 N/A· v4 7.2 HIGH· v3 N/A· v2 An arbitrary file upload vulnerability in the Server Settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-45038 1Wbce 1Wbce Cms Apr 25, 2025 Nov 25, 2022 N/A· v4 5.4 MEDIUM· v3 N/A· v2 A cross-site scripting (XSS) vulnerability in /admin/settings/save.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Footer field.
CVE-2022-45037 1Wbce 1Wbce Cms Apr 25, 2025 Nov 25, 2022 N/A· v4 5.4 MEDIUM· v3 N/A· v2 A cross-site scripting (XSS) vulnerability in /admin/users/index.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Display Name field.

12 Next