Vulnerability Details CVE-2025-34506
WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially designed ZIP module with embedded PHP reverse shell code to gain remote system access when the module is installed.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 63.7%
CVSS Severity
CVSS v3 Score 8.8
References
- https://github.com/Swammers8/WBCE-v1.6.3-Authenticated-RCE
- https://github.com/WBCE/WBCE_CMS
- https://wbce-cms.org/
- https://www.exploit-db.com/exploits/52132
- https://www.vulncheck.com/advisories/wbce-cms-authenticated-remote-code-execution-via-module-upload
- https://youtu.be/Dhg5gRe9Dzs?si=-WQoiWU1yqvYNz1e
Products affected by CVE-2025-34506
-
cpe:2.3:a:wbce:wbce_cms:-
-
cpe:2.3:a:wbce:wbce_cms:1.0.0
-
cpe:2.3:a:wbce:wbce_cms:1.1.0
-
cpe:2.3:a:wbce:wbce_cms:1.1.1
-
cpe:2.3:a:wbce:wbce_cms:1.1.10
-
cpe:2.3:a:wbce:wbce_cms:1.1.11
-
cpe:2.3:a:wbce:wbce_cms:1.1.2
-
cpe:2.3:a:wbce:wbce_cms:1.1.3
-
cpe:2.3:a:wbce:wbce_cms:1.1.4
-
cpe:2.3:a:wbce:wbce_cms:1.1.6
-
cpe:2.3:a:wbce:wbce_cms:1.1.8
-
cpe:2.3:a:wbce:wbce_cms:1.1.9
-
cpe:2.3:a:wbce:wbce_cms:1.2.0
-
cpe:2.3:a:wbce:wbce_cms:1.3.0
-
cpe:2.3:a:wbce:wbce_cms:1.3.1
-
cpe:2.3:a:wbce:wbce_cms:1.3.2
-
cpe:2.3:a:wbce:wbce_cms:1.3.3
-
cpe:2.3:a:wbce:wbce_cms:1.4
-
cpe:2.3:a:wbce:wbce_cms:1.4.0
-
cpe:2.3:a:wbce:wbce_cms:1.4.1
-
cpe:2.3:a:wbce:wbce_cms:1.4.2
-
cpe:2.3:a:wbce:wbce_cms:1.4.3
-
cpe:2.3:a:wbce:wbce_cms:1.4.4
-
cpe:2.3:a:wbce:wbce_cms:1.4.5
-
cpe:2.3:a:wbce:wbce_cms:1.5.0
-
cpe:2.3:a:wbce:wbce_cms:1.5.1
-
cpe:2.3:a:wbce:wbce_cms:1.5.2
-
cpe:2.3:a:wbce:wbce_cms:1.5.3
-
cpe:2.3:a:wbce:wbce_cms:1.5.4
-
cpe:2.3:a:wbce:wbce_cms:1.6.0
-
cpe:2.3:a:wbce:wbce_cms:1.6.1
-
cpe:2.3:a:wbce:wbce_cms:1.6.2
-
cpe:2.3:a:wbce:wbce_cms:1.6.3