CVE-2025-67504
published 2025-12-09CVE-2025-67504: WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword() to create passwords using PHP's rand(). rand() is not…
PriorityP354critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.44%
35.4th percentile
WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword() to create passwords using PHP's rand(). rand() is not cryptographically secure, which allows password sequences to be predicted or brute-forced. This can lead to user account compromise or privilege escalation if these passwords are used for new accounts or password resets. The vulnerability is fixed in version 1.6.5.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wbce | wbce_cms | < 1.6.5 | 1.6.5 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://cwe.mitre.org/data/definitions/338.htmlhttps://github.com/WBCE/WBCE_CMS/commit/5d59fe021a5c6e469b1bf192b72ca652e54278f6https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.5https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-76gj-pmvx-jcc6https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-76gj-pmvx-jcc6
2025-12-09
Published