Unrated severityNVD Advisory· Published Nov 19, 2025· Updated Nov 19, 2025
WBCE CMS is Vulnerable to Privilege Escalation via Group ID Manipulation (IDOR)
CVE-2025-65094
Description
WBCE CMS is a content management system. Prior to version 1.6.4, a low-privileged user in WBCE CMS can escalate their privileges to the Administrators group by manipulating the groups[] parameter in the /admin/users/save.php request. The UI restricts users to assigning only their existing group, but server-side validation is missing, allowing attackers to overwrite their group membership and obtain full administrative access. This results in a complete compromise of the CMS. This issue has been patched in version 1.6.4.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/WBCE/WBCE_CMS/commit/96046178f4c80cf16f7c224054dec7fdadddda7emitrex_refsource_MISC
- github.com/WBCE/WBCE_CMS/security/advisories/GHSA-hmmw-4ccm-fx44mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.