cbcvebase.
CVE-2021-3817
published 2021-12-09

CVE-2021-3817: wbce_cms is vulnerable to Improper Neutralization of Special Elements used in an SQL Command

PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
37.82%
98.4th percentile
wbce_cms is vulnerable to Improper Neutralization of Special Elements used in an SQL Command

Affected

2 ranges
VendorProductVersion rangeFixed in
wbcewbce_cms< 1.5.21.5.2
wbcewbce_wbce_cms>= unspecified < 1.5.21.5.2

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<target>/wbce/admin/login/forgot/index.php
path/wbce/admin/login/forgot/index.php
commandemail=%27/**/or/**/user_id=1/**/or/**/'admin%40<domain>&submit=justrandomvalue
  • Detect SQLi payload in the POST body of the password-reset endpoint: look for URL-encoded single quote followed by comment-based whitespace bypass tokens (/**/) and user_id=1 in the email parameter targeting /wbce/admin/login/forgot/index.php
  • Monitor POST requests to /wbce/admin/login/forgot/index.php with a Content-Type of application/x-www-form-urlencoded containing %27 (URL-encoded single quote) in the email field as an indicator of SQL injection exploitation attempts
  • The exploit abuses the forgot-password flow to recover plaintext admin credentials via SQLi; alert on any password-reset email triggered for user_id=1 (the administrator account) from an external or unexpected source
  • Google Dork can be used to identify exposed WBCE CMS instances: search for intext: "Way Better Content Editing"
  • ·The exploit targets WBCE CMS versions up to and including 1.5.1; versions beyond this may have patched the SQLi in the forgot-password endpoint
  • ·The attacker must control a catch-all email domain to receive the plaintext password reset email sent by the vulnerable application; the exploit author used a Namecheap domain with catch-all redirect

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.