HIGH🇬🇧 English

CVE-2022-50936

CVSS 8.7v4.0pub. 2026-01-13upd. 2026-01-20

WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious droplets through the admin panel. Authenticated attackers can exploit the droplet upload functionality in the admin tools to create and execute arbitrary PHP code by crafting a specially designed zip file payload.

oryginał EN
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Wbce Cms

    APP
    Wbce
    1.5.2
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
RCE
CWE
Referencje

Powiązane podatności

CVE-2025-65950CRITICAL9.4PL ✓ten sam produkt

SQL Injection w WBCE CMS — nieautoryzowany dostęp do bazy danych

CVE-2025-67504CRITICAL9.1PL ✓ten sam produkt

WBCE CMS: słabe generowanie haseł umożliwia privilege escalation

CVE-2023-39796CRITICAL9.8ten sam produkt

SQL injection vulnerability in the miniform module in WBCE CMS v.1.6.0 allows remote unauthenticated attacker ...

CVE-2022-46020CRITICAL9.8ten sam produkt

WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.

CVE-2021-3817CRITICAL9.8ten sam produkt

wbce_cms is vulnerable to Improper Neutralization of Special Elements used in an SQL Command