CVE-2025-65094 in WBCEinformación

Resumen

por MITRE • 2025-11-19

WBCE CMS is a content management system. Prior to version 1.6.4, a low-privileged user in WBCE CMS can escalate their privileges to the Administrators group by manipulating the groups[] parameter in the /admin/users/save.php request. The UI restricts users to assigning only their existing group, but server-side validation is missing, allowing attackers to overwrite their group membership and obtain full administrative access. This results in a complete compromise of the CMS. This issue has been patched in version 1.6.4.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsable

GitHub M

Reservar

2025-11-17

Divulgación

2025-11-19

Moderación

aceptado

Artículo

VDB-333022

CPE

listo

CWE

CWE-266 (confirmado)

CVSS

8.8 (NVD)

EPSS

0.00064

KEV

Actividades

muy bajo

Sector

Agriculture, Hostingprovider, ...

Fuentes

MITRE	https://www.cve.org/CVERecord?id=CVE-2025-65094
NVD	https://nvd.nist.gov/vuln/detail/CVE-2025-65094
CVE Details	https://www.cvedetails.com/cve/CVE-2025-65094/

◂ Anterior Visión De Conjunto Próximo ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!