HIGH🇵🇱 Wersja polska

CVE-2022-50936

CVSS 8.7v4.0pub. 2026-01-13upd. 2026-01-20

WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious droplets through the admin panel. Authenticated attackers can exploit the droplet upload functionality in the admin tools to create and execute arbitrary PHP code by crafting a specially designed zip file payload.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Wbce Cms

    APP
    Wbce
    1.5.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-65950CRITICAL9.4PL ✓ten sam produkt

SQL Injection w WBCE CMS — nieautoryzowany dostęp do bazy danych

CVE-2025-67504CRITICAL9.1PL ✓ten sam produkt

WBCE CMS: słabe generowanie haseł umożliwia privilege escalation

CVE-2023-39796CRITICAL9.8ten sam produkt

SQL injection vulnerability in the miniform module in WBCE CMS v.1.6.0 allows remote unauthenticated attacker ...

CVE-2022-46020CRITICAL9.8ten sam produkt

WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.

CVE-2021-3817CRITICAL9.8ten sam produkt

wbce_cms is vulnerable to Improper Neutralization of Special Elements used in an SQL Command