CRITICAL🇵🇱 Wersja polska

CVE-2025-67504

CVSS 9.1v3.1pub. 2025-12-09upd. 2025-12-11

WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword() to create passwords using PHP's rand(). rand() is not cryptographically secure, which allows password sequences to be predicted or brute-forced. This can lead to user account compromise or privilege escalation if these passwords are used for new accounts or password resets. The vulnerability is fixed in version 1.6.5.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Wbce Cms

    APP
    Wbce
    < 1.6.5
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
LPE
CWE
References

Related vulnerabilities

CVE-2025-65950CRITICAL9.4PL ✓ten sam produkt

SQL Injection w WBCE CMS — nieautoryzowany dostęp do bazy danych

CVE-2023-39796CRITICAL9.8ten sam produkt

SQL injection vulnerability in the miniform module in WBCE CMS v.1.6.0 allows remote unauthenticated attacker ...

CVE-2022-46020CRITICAL9.8ten sam produkt

WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.

CVE-2021-3817CRITICAL9.8ten sam produkt

wbce_cms is vulnerable to Improper Neutralization of Special Elements used in an SQL Command

CVE-2022-50936HIGH8.7ten sam produkt

WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to ...