CVE-2025-67504 | THREATINT

Description

WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword() to create passwords using PHP's rand(). rand() is not cryptographically secure, which allows password sequences to be predicted or brute-forced. This can lead to user account compromise or privilege escalation if these passwords are used for new accounts or password resets. The vulnerability is fixed in version 1.6.5.

PUBLISHED Reserved 2025-12-08 | Published 2025-12-09 | Updated 2025-12-09 | Assigner GitHub_M

CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Problem types

CWE-331: Insufficient Entropy

CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Product status

< 1.6.5

affected

References

github.com/...CE_CMS/security/advisories/GHSA-76gj-pmvx-jcc6 exploit

github.com/...CE_CMS/security/advisories/GHSA-76gj-pmvx-jcc6

github.com/...ommit/5d59fe021a5c6e469b1bf192b72ca652e54278f6

cwe.mitre.org/data/definitions/338.html

github.com/WBCE/WBCE_CMS/releases/tag/1.6.5

cve.org (CVE-2025-67504)

nvd.nist.gov (CVE-2025-67504)

Download JSON