CVE-2024-58283 | THREATINT

Description

WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the Elfinder file manager. Attackers can exploit the file upload functionality in the elfinder connector to upload a web shell and execute arbitrary system commands through a user-controlled parameter.

PUBLISHED Reserved 2025-12-10 | Published 2025-12-10 | Updated 2025-12-11 | Assigner VulnCheck

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-434: Unrestricted Upload of File with Dangerous Type

Product status

Default status

unaffected

1.6.2

affected

Credits

Ahmet Ümit BAYRAM finder

References

github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.2.zip exploit

www.exploit-db.com/exploits/52039 (ExploitDB-52039) exploit

wbce-cms.org/ (WBCE CMS Homepage) product

github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.2.zip (WBCE CMS GitHub Repository) product

www.vulncheck.com/...code-execution-via-elfinder-file-upload (VulnCheck Advisory: WBCE CMS 1.6.2 Remote Code Execution via Elfinder File Upload) third-party-advisory

cve.org (CVE-2024-58283)

nvd.nist.gov (CVE-2024-58283)

Download JSON