cbcvebase.

Wbce Cms vulnerabilities

39 known vulnerabilities affecting wbce/wbce_cms.

Total CVEs
39
CISA KEV
0
Public exploits
6
Exploited in wild
1
Severity breakdown
CRITICAL4HIGH14MEDIUM21

Vulnerabilities

Page 1 of 2
CVE-2023-39796P1CRITICALCVSS 9.8ExploitedPoCv1.6.02023-11-10
CVE-2023-39796 [CRITICAL] CWE-89 CVE-2023-39796: SQL injection vulnerability in the miniform module in WBCE CMS v.1.6.0 allows remote unauthenticated SQL injection vulnerability in the miniform module in WBCE CMS v.1.6.0 allows remote unauthenticated attacker to execute arbitrary code via the DB_RECORD_TABLE parameter.
nvd
CVE-2021-3817P2CRITICALCVSS 9.8PoCfixed in 1.5.22021-12-09
CVE-2021-3817 [CRITICAL] CWE-89 CVE-2021-3817: wbce_cms is vulnerable to Improper Neutralization of Special Elements used in an SQL Command wbce_cms is vulnerable to Improper Neutralization of Special Elements used in an SQL Command
nvd
CVE-2022-46020P2CRITICALCVSS 9.8PoCv1.5.42022-12-20
CVE-2022-46020 [CRITICAL] CWE-434 CVE-2022-46020: WBCE CMS v1.5.4 can implement getshell by modifying the upload file type. WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.
nvd
CVE-2025-34506P2HIGHCVSS 8.8≤ 1.6.3v1.6.32025-12-11
CVE-2025-34506 [HIGH] CWE-434 CVE-2025-34506: WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially designed ZIP module with embedded PHP reverse shell code to gain remote system access when the module is installed.
nvd
CVE-2024-58283P2HIGHCVSS 8.8v1.6.22025-12-10
CVE-2024-58283 [HIGH] CWE-434 CVE-2024-58283: WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated atta WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the Elfinder file manager. Attackers can exploit the file upload functionality in the elfinder connector to upload a web shell and execute arbitrary system commands through a user-controlled parameter.
nvd
CVE-2022-50936P2HIGHCVSS 8.8v1.5.22026-01-13
CVE-2022-50936 [HIGH] CWE-434 CVE-2022-50936: WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows att WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious droplets through the admin panel. Authenticated attackers can exploit the droplet upload functionality in the admin tools to create and execute arbitrary PHP code by crafting a specially designed zip file payload.
nvd
CVE-2025-65094P3HIGHCVSS 8.8fixed in 1.6.42025-11-19
CVE-2025-65094 [HIGH] CWE-266 CVE-2025-65094: WBCE CMS is a content management system. Prior to version 1.6.4, a low-privileged user in WBCE CMS c WBCE CMS is a content management system. Prior to version 1.6.4, a low-privileged user in WBCE CMS can escalate their privileges to the Administrators group by manipulating the groups[] parameter in the /admin/users/save.php request. The UI restricts users to assigning only their existing group, but server-side validation is missing, allowing attacker
nvd
CVE-2025-65950P3HIGHCVSS 8.8fixed in 1.6.52025-12-10
CVE-2025-65950 [HIGH] CWE-89 CVE-2025-65950: WBCE CMS is a content management system. In versions 1.6.4 and below, the user management module all WBCE CMS is a content management system. In versions 1.6.4 and below, the user management module allows a low-privileged authenticated user with permissions to modify users to execute arbitrary SQL queries. This can be escalated to a full database compromise, data exfiltration, effectively bypassing all security controls. The vulnerability exists in th
nvd
CVE-2025-67504P3CRITICALCVSS 9.8fixed in 1.6.52025-12-09
CVE-2025-67504 [CRITICAL] CWE-331 CVE-2025-67504: WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPasswor WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword() to create passwords using PHP's rand(). rand() is not cryptographically secure, which allows password sequences to be predicted or brute-forced. This can lead to user account compromise or privilege escalation if these passwords are used for new
nvd
CVE-2022-30073P4MEDIUMCVSS 5.4PoCv1.5.22022-05-17
CVE-2022-30073 [MEDIUM] CWE-79 CVE-2022-30073: WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting (XSS) via /admin/users/save.php. WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting (XSS) via /admin/users/save.php.
nvd
CVE-2017-2119P3HIGHCVSS 8.6≤ 1.1.102017-04-28
CVE-2017-2119 [HIGH] CWE-22 CVE-2017-2119: Directory traversal vulnerability in WBCE CMS 1.1.10 and earlier allows remote attackers to read arb Directory traversal vulnerability in WBCE CMS 1.1.10 and earlier allows remote attackers to read arbitrary files via unspecified vectors.
nvd
CVE-2022-45037P4MEDIUMCVSS 5.4PoCv1.5.42022-11-25
CVE-2022-45037 [MEDIUM] CWE-79 CVE-2022-45037: A cross-site scripting (XSS) vulnerability in /admin/users/index.php of WBCE CMS v1.5.4 allows attac A cross-site scripting (XSS) vulnerability in /admin/users/index.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Display Name field.
nvd
CVE-2022-45038P4MEDIUMCVSS 5.4PoCv1.5.42022-11-25
CVE-2022-45038 [MEDIUM] CWE-79 CVE-2022-45038: A cross-site scripting (XSS) vulnerability in /admin/settings/save.php of WBCE CMS v1.5.4 allows att A cross-site scripting (XSS) vulnerability in /admin/settings/save.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Footer field.
nvd
CVE-2025-66204P3HIGHCVSS 8.1fixed in 1.6.5v>= 1.6.4, < 1.6.52025-12-09
CVE-2025-66204 [HIGH] CWE-307 CVE-2025-66204: WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass wher WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying `X-Forwarded-For` on each request, gaining unlimited password guessing attempts, effectively bypassing all brute-force protection. The application fully trusts the `X-Forwarded-For` header wi
nvd
CVE-2019-17575P3HIGHCVSS 7.2≤ 1.4.02019-10-14
CVE-2019-17575 [HIGH] CWE-706 CVE-2019-17575: A file-rename filter bypass exists in admin/media/rename.php in WBCE CMS 1.4.0 and earlier. This can A file-rename filter bypass exists in admin/media/rename.php in WBCE CMS 1.4.0 and earlier. This can be exploited by an authenticated user with admin privileges to rename a media filename and extension. (For example: place PHP code in a .jpg file, and then change the file's base name to filename.ph and change the file's extension to p. Because of conc
nvd
CVE-2022-45039P3HIGHCVSS 7.2v1.5.42022-11-25
CVE-2022-45039 [HIGH] CWE-434 CVE-2022-45039: An arbitrary file upload vulnerability in the Server Settings module of WBCE CMS v1.5.4 allows attac An arbitrary file upload vulnerability in the Server Settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary code via a crafted PHP file.
nvd
CVE-2023-38947P3HIGHCVSS 7.2v1.6.12023-08-03
CVE-2023-38947 [HIGH] CWE-434 CVE-2023-38947: An arbitrary file upload vulnerability in the /languages/install.php component of WBCE CMS v1.6.1 al An arbitrary file upload vulnerability in the /languages/install.php component of WBCE CMS v1.6.1 allows attackers to execute arbitrary code via a crafted PHP file.
nvd
CVE-2023-29855P3HIGHCVSS 7.2v1.5.32023-04-18
CVE-2023-29855 [HIGH] CWE-77 CVE-2023-29855: WBCE CMS 1.5.3 has a command execution vulnerability via admin/languages/install.php. WBCE CMS 1.5.3 has a command execution vulnerability via admin/languages/install.php.
nvd
CVE-2017-2120P3HIGHCVSS 7.2≤ 1.1.102017-04-28
CVE-2017-2120 [HIGH] CWE-89 CVE-2017-2120: SQL injection vulnerability in the WBCE CMS 1.1.10 and earlier allows attacker with administrator ri SQL injection vulnerability in the WBCE CMS 1.1.10 and earlier allows attacker with administrator rights to execute arbitrary SQL commands via unspecified vectors.
nvd
CVE-2022-25099P3HIGHCVSS 7.8v1.5.22022-02-24
CVE-2022-25099 [HIGH] CVE-2022-25099: A vulnerability in the component /languages/index.php of WBCE CMS v1.5.2 allows attackers to execute A vulnerability in the component /languages/index.php of WBCE CMS v1.5.2 allows attackers to execute arbitrary code via a crafted PHP file.
nvd
Wbce Cms vulnerabilities | cvebase