Home

Description

WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially designed ZIP module with embedded PHP reverse shell code to gain remote system access when the module is installed.

PUBLISHED Reserved 2025-04-15 | Published 2025-12-11 | Updated 2025-12-12 | Assigner VulnCheck




HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-434: Unrestricted Upload of File with Dangerous Type

Product status

Default status
unaffected

1.6.3
affected

Credits

Swammers8 finder

References

www.exploit-db.com/exploits/52132 (ExploitDB-52132) exploit

wbce-cms.org/ (WBCE CMS Homepage) product

github.com/WBCE/WBCE_CMS (WBCE CMS GitHub Repository) product

youtu.be/Dhg5gRe9Dzs?si=-WQoiWU1yqvYNz1e (YouTube Demonstration) product

github.com/Swammers8/WBCE-v1.6.3-Authenticated-RCE (Swammers8 GitHub Repository) technical-description

www.vulncheck.com/...remote-code-execution-via-module-upload (VulnCheck Advisory: WBCE CMS 1.6.3 Authenticated Remote Code Execution via Module Upload) third-party-advisory

cve.org (CVE-2025-34506)

nvd.nist.gov (CVE-2025-34506)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.