WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious droplets through the admin panel. Authenticated attackers can exploit the droplet upload functionality in the admin tools to create and execute arbitrary PHP code by crafting a specially designed zip file payload.
oryginał ENCVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XWbce Cms
APPWbce1.5.2
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
RCE
CWE
Powiązane podatności
CVE-2025-65950CRITICAL9.4PL ✓ten sam produkt
SQL Injection w WBCE CMS — nieautoryzowany dostęp do bazy danych
CVE-2025-67504CRITICAL9.1PL ✓ten sam produkt
WBCE CMS: słabe generowanie haseł umożliwia privilege escalation
CVE-2023-39796CRITICAL9.8ten sam produkt
SQL injection vulnerability in the miniform module in WBCE CMS v.1.6.0 allows remote unauthenticated attacker ...
CVE-2022-46020CRITICAL9.8ten sam produkt
WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.
CVE-2021-3817CRITICAL9.8ten sam produkt
wbce_cms is vulnerable to Improper Neutralization of Special Elements used in an SQL Command