Home

Description

WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious droplets through the admin panel. Authenticated attackers can exploit the droplet upload functionality in the admin tools to create and execute arbitrary PHP code by crafting a specially designed zip file payload.

PUBLISHED Reserved 2026-01-11 | Published 2026-01-13 | Updated 2026-01-14 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Unrestricted Upload of File with Dangerous Type

Product status

1.5.2
affected

Credits

Antonio Cuomo (arkantolo) finder

References

www.exploit-db.com/exploits/50707 (ExploitDB-50707) exploit

wbce.org/ (WBCE CMS Official Website) product

wbce.org/de/downloads/ (WBCE CMS Downloads Page) product

github.com/WBCE/WBCE_CMS (WBCE CMS GitHub Repository) product

www.vulncheck.com/...remote-code-execution-rce-authenticated (VulnCheck Advisory: WBCE CMS 1.5.2 - Remote Code Execution (RCE) (Authenticated)) third-party-advisory

cve.org (CVE-2022-50936)

nvd.nist.gov (CVE-2022-50936)

Download JSON