Filtered by vendor Wbce
Subscriptions
Total
35 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-58283 | 1 Wbce | 1 Wbce Cms | 2025-12-11 | N/A |
| WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the Elfinder file manager. Attackers can exploit the file upload functionality in the elfinder connector to upload a web shell and execute arbitrary system commands through a user-controlled parameter. | ||||
| CVE-2025-66204 | 1 Wbce | 1 Wbce Cms | 2025-12-11 | 8.1 High |
| WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying `X-Forwarded-For` on each request, gaining unlimited password guessing attempts, effectively bypassing all brute-force protection. The application fully trusts the `X-Forwarded-For` header without validating it or restricting its usage. This issue is fixed in version 1.6.5. | ||||
| CVE-2025-67504 | 1 Wbce | 1 Wbce Cms | 2025-12-11 | 9.1 Critical |
| WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword() to create passwords using PHP's rand(). rand() is not cryptographically secure, which allows password sequences to be predicted or brute-forced. This can lead to user account compromise or privilege escalation if these passwords are used for new accounts or password resets. The vulnerability is fixed in version 1.6.5. | ||||
| CVE-2025-65950 | 1 Wbce | 1 Wbce Cms | 2025-12-11 | N/A |
| WBCE CMS is a content management system. In versions 1.6.4 and below, the user management module allows a low-privileged authenticated user with permissions to modify users to execute arbitrary SQL queries. This can be escalated to a full database compromise, data exfiltration, effectively bypassing all security controls. The vulnerability exists in the admin/users/save.php script, which handles updates to user profiles. The script improperly processes the groups[] parameter sent from the user edit form. This issue is fixed in version 1.6.5. | ||||
| CVE-2025-65094 | 1 Wbce | 1 Wbce Cms | 2025-11-21 | N/A |
| WBCE CMS is a content management system. Prior to version 1.6.4, a low-privileged user in WBCE CMS can escalate their privileges to the Administrators group by manipulating the groups[] parameter in the /admin/users/save.php request. The UI restricts users to assigning only their existing group, but server-side validation is missing, allowing attackers to overwrite their group membership and obtain full administrative access. This results in a complete compromise of the CMS. This issue has been patched in version 1.6.4. | ||||
| CVE-2022-45015 | 1 Wbce | 1 Wbce Cms | 2025-04-29 | 4.8 Medium |
| A cross-site scripting (XSS) vulnerability in the Search Settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Results Footer field. | ||||
| CVE-2022-45014 | 1 Wbce | 1 Wbce Cms | 2025-04-29 | 4.8 Medium |
| A cross-site scripting (XSS) vulnerability in the Search Settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Results Header field. | ||||
| CVE-2022-45013 | 1 Wbce | 1 Wbce Cms | 2025-04-29 | 4.8 Medium |
| A cross-site scripting (XSS) vulnerability in the Show Advanced Option module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Section Header field. | ||||
| CVE-2022-45012 | 1 Wbce | 1 Wbce Cms | 2025-04-29 | 4.8 Medium |
| A cross-site scripting (XSS) vulnerability in the Modify Page module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Source field. | ||||
| CVE-2022-45017 | 1 Wbce | 1 Wbce Cms | 2025-04-29 | 4.8 Medium |
| A cross-site scripting (XSS) vulnerability in the Overview Page settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Post Loop field. | ||||
| CVE-2022-45016 | 1 Wbce | 1 Wbce Cms | 2025-04-29 | 4.8 Medium |
| A cross-site scripting (XSS) vulnerability in the Search Settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Footer field. | ||||
| CVE-2022-45040 | 1 Wbce | 1 Wbce Cms | 2025-04-25 | 5.4 Medium |
| A cross-site scripting (XSS) vulnerability in /admin/pages/sections_save.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name Section field. | ||||
| CVE-2022-45039 | 1 Wbce | 1 Wbce Cms | 2025-04-25 | 7.2 High |
| An arbitrary file upload vulnerability in the Server Settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary code via a crafted PHP file. | ||||
| CVE-2022-45038 | 1 Wbce | 1 Wbce Cms | 2025-04-25 | 5.4 Medium |
| A cross-site scripting (XSS) vulnerability in /admin/settings/save.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Footer field. | ||||
| CVE-2022-45037 | 1 Wbce | 1 Wbce Cms | 2025-04-25 | 5.4 Medium |
| A cross-site scripting (XSS) vulnerability in /admin/users/index.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Display Name field. | ||||
| CVE-2022-45036 | 1 Wbce | 1 Wbce Cms | 2025-04-25 | 5.4 Medium |
| A cross-site scripting (XSS) vulnerability in the Search Settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the No Results field. | ||||
| CVE-2017-1000213 | 1 Wbce | 1 Wbce Cms | 2025-04-20 | N/A |
| WBCE v1.1.11 is vulnerable to reflected XSS via the "begriff" POST parameter in /admin/admintools/tool.php?tool=user_search | ||||
| CVE-2017-2118 | 1 Wbce | 1 Wbce Cms | 2025-04-20 | N/A |
| Cross-site scripting vulnerability in WBCE CMS 1.1.10 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2017-2119 | 1 Wbce | 1 Wbce Cms | 2025-04-20 | N/A |
| Directory traversal vulnerability in WBCE CMS 1.1.10 and earlier allows remote attackers to read arbitrary files via unspecified vectors. | ||||
| CVE-2017-2120 | 1 Wbce | 1 Wbce Cms | 2025-04-20 | N/A |
| SQL injection vulnerability in the WBCE CMS 1.1.10 and earlier allows attacker with administrator rights to execute arbitrary SQL commands via unspecified vectors. | ||||