Description
WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially designed ZIP module with embedded PHP reverse shell code to gain remote system access when the module is installed.
Published: 2025-12-11
Score: 8.6 High
EPSS: 1.0% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

WBCE CMS versions 1.6.3 and earlier allow an authenticated attacker with administrative privileges to upload a specially crafted ZIP module that contains embedded PHP reverse‑shell code. When the malicious module is installed, the system executes the PHP code on the server, granting the attacker remote control over the affected host. The vulnerability enables full compromise of confidentiality, integrity, and availability, effectively turning the CMS into a command and control point for further attacks. The weakness is identified as CWE‑434, Unrestricted Upload of File with Dangerous Type.

Affected Systems

The affected product is WBCE CMS. Versions through 1.6.3 are vulnerable. The Common Platform Enumeration for 1.6.5 is present in the data set, suggesting that the fix is included in version 1.6.5 and later. Administrators running any earlier release must be aware that they are exposed.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity, and the EPSS score of 1% shows that the vulnerability is not widely exploited but still represents a realistic threat. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access; the attacker must obtain or compromise an administrator account to upload and activate the malicious module. Once activated, the attack runs with the privileges of the web server, providing a full remote execution vector.

Generated by OpenCVE AI on April 22, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WBCE CMS to version 1.6.5 or newer where the upload validation is corrected.
  • If an immediate upgrade is not possible, disable the module upload feature for administrative accounts or enforce strict validation to reject non‑UTF‑8 or non‑ZIP file types, preventing malicious module deployment.
  • Continuously monitor server logs and the modules directory for unexpected changes or reverse‑shell activity, and block the offending module immediately while investigating the source of the upload.

Generated by OpenCVE AI on April 22, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wbce:wbce_cms:1.6.5:*:*:*:*:*:*:*

Mon, 15 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wbce:wbce_cms:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 12 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wbce
Wbce wbce Cms
Vendors & Products Wbce
Wbce wbce Cms

Thu, 11 Dec 2025 22:00:00 +0000

Type Values Removed Values Added
Description WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially designed ZIP module with embedded PHP reverse shell code to gain remote system access when the module is installed.
Title WBCE CMS 1.6.3 Authenticated Remote Code Execution via Module Upload
Weaknesses CWE-434
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Wbce Wbce Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:09:48.640Z

Reserved: 2025-04-15T19:15:22.611Z

Link: CVE-2025-34506

cve-icon Vulnrichment

Updated: 2025-12-12T19:33:26.795Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-11T22:15:53.823

Modified: 2025-12-15T18:07:41.337

Link: CVE-2025-34506

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:00:06Z

Weaknesses